Reporting

Schedule a report to run each day so that query is not run every time viewed

atornes
Path Finder

I've created a lot of reports and a number of dashboards, some of which are pretty complex. We don't have splunk setup on the best machine, so some of these queries take a while to run and dashboards can break or take forever to view while all of the reports are generated, sometimes they timeout.

All reports are based on daily data that is pulled in each night around midnight. Is there a way to schedule each report to run early in the morning, say 6am, each day so that every time someone views a dashboard with that report that day, it doesn't have to re-run each time and take forever to load, as its been "pre-run/scheduled"? I don't need it to be emailed to me or anything.

1 Solution

lguinn2
Legend

Yes - simply edit each search and check the box for "schedule this search". Under scheduled search, you can choose schedule type "cron". In the cron schedule box put

0 6 * * *

Save your changes. (Don't choose any of the alerts or notifications.) The search will run automatically every morning at 6:00 am.

The dashboard will automatically pick up the cached results. BTW if someone runs the search manually during the day, the dashboard will then pick up the latest results.

View solution in original post

lguinn2
Legend

Yes - simply edit each search and check the box for "schedule this search". Under scheduled search, you can choose schedule type "cron". In the cron schedule box put

0 6 * * *

Save your changes. (Don't choose any of the alerts or notifications.) The search will run automatically every morning at 6:00 am.

The dashboard will automatically pick up the cached results. BTW if someone runs the search manually during the day, the dashboard will then pick up the latest results.

p_splunk
Engager

hey, i found it out now,
you have to have the specific search saved before and then after "edit search" you have to click "Select a saved search" then u are where lguinn says (i think so 😉

that's how mine worked out,
thx

0 Karma

lguinn2
Legend

In 4.3.3, you can click Edit on the dashboard to put the dashboard in edit mode, then click Edit on the dashboard panel and then Edit Search and Edit in Manager to get to the point that I mentioned above.

However, in all versions of Splunk, you can go to the Manager, choose Searches and Reports and then click the name of the search that you want to edit.

0 Karma

p_splunk
Engager

when i see my view/dashboard, do i need to click vie result for every search and then create a scheduled search of this search?
beacuase I cannot find the checkbox u are talking about (i have 4.3.3)

thx for answer

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...