Reporting

Is there a way i can schedule a saved search to run for every 2 weeks?

adityapavan18
Contributor

I want to schedule a saved search to run on Sunday 1 AM every 2 weeks.

i.e. I need a search query to run

July 12,2015 01:00:00 earliest:06/28/2015:00:00:00 latest:07/12/2015:00:00:00

July 26,2015 01:00:00 earliest:07/12/2015:00:00:00 latest:07/26/2015:00:00:00

and so on.

Can anyone help me set up cron and earliest/latest for this scenario.

Thanks

Tags (2)
0 Karma

ppablo
Retired

Hi @adityapavan18

Can you confirm if @woodcock's answer below solved your issue? If yes, be sure to click "Accept" directly below his answer to resolve the post. If not, can you please comment on the answer and provide more details?

0 Karma

joao_amorim
Communicator
0 Karma

grijhwani
Motivator

Cron does not have the concept of multiples of weeks. The best you could manage with cron would be to schedule for every Sunday or fixed days of the month.

0 Karma

koshyk
Super Champion

are you ok, if the savedSearch Runs every week but with the data-set of last 2 weeks? You just need to ignore the week's which you don't want.
It will become very simple in Cron

0 Karma

woodcock
Esteemed Legend

This is not possible directly. You will have to run it every week and then short-circuit the job using addinfo and map for the weeks that it is not supposed to run like this (extra steps for clarity):

| noop | stats count AS runThisWeek | addinfo | eval runThisWeek = if(((tonumber(strftime(now(),"%W"))%2)==1),"YES","NO") | eval earliestMaybe=if((runThisWeek=="YES"), info_min_time, now()) | map search="search earliest=$earliestMaybe$ latest=$info_max_time$ YOUR SEARCH HERE"

For the weeks it is not supposed to run, the search will generate an error.

DalJeanis
SplunkTrust
SplunkTrust

Refactoring your method in order to not generate an error, just an empty search, it looks like this if the alert is to run whenever there are results...

YOUR SEARCH HERE 
 [ | noop | stats count AS search 
   | eval search=if(((tonumber(strftime(now(),"%W"))%2)==1),"SomeLongStringHereWhichWillNeverBeFoundInBloomFilters","")] 
| YOUR PROCESSING HERE

Of course, when the alert is to fire if there are NO records, then you'd have to have another clause afterward to create them...

0 Karma

woodcock
Esteemed Legend

I like the error, but it surely is a matter of taste.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Surely. otherwise known as YMMV.

0 Karma

woodcock
Esteemed Legend

I sure do wish somebody would click Accept already!

0 Karma

woodcock
Esteemed Legend

So did this work for you? If so, make sure you "Accept" an answer to close the question.

0 Karma

jodros
Builder

I do not think that there is a way to schedule this natively within the cron notation. I would agree with this answer and give it a try. Most *nix admins reference a script in crontab to accomplish this.

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...