Reporting

How to Configure Sequential Searches...

lpolo
Motivator

I have 5 queries that have to be run in sequential order.
Is there a way in Splunk to schedule 5 searches like presented in the example?

Example:
Schedule Search 1 -> Runs every 2 hours.
Search 2 -> Runs after schedule search 1 is executed.
Search 3 -> Runs after search 2 is executed.
Search 4 -> Runs after search 3 is executed.
Search 5 -> Runs after search 4 is executed.

Any ideas will be appreciated.

Thanks,
Lp

Tags (1)

Ledion_Bitincka
Splunk Employee
Splunk Employee

The best way to solve this is through a script which has the flexibility of deciding when to dispatch the searches. You can decide whether to wait for a search to complete before dispatching the next one, or maybe dispatch a couple of them in parallel, or even modify a search based on the results of the previous search.

0 Karma

lpolo
Motivator

I have been able to solve this problem in two ways.
1) By determining the max execution time of every scheduled search and then configure the schedule search time of each search accordingly. This approach has its limitations.

2) By creating a script that assures that the set of searches are executed in the define sequential order based on the result set data flow.

It will be nice if the user could use the search scheduler to define the execution order of a set scheduled searches base on the result set data flow as presented in the example.

Thanks.
Lp

0 Karma

reed_kelly
Contributor

I agree that this would be a nice enhancement. We have created a lot of independant scheduled searches along with emails of attached CSV reports. We could convert it all to a script, but we have tried to do everything natively.

0 Karma

lpolo
Motivator

Yes. I have a sequential inter-dependency as I presented in the example.

Thanks.

0 Karma

lguinn2
Legend

Does each search have to wait until the prior search completes?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...