- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- How to set scheduled search to not run at certain ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set scheduled search to not run at certain time and date?
I have a scheduled search which runs on every 15 minutes
Not I like this search not to run on every Sat/Sun for 11AM to 12 PM or every last Thursday from 2 to 4 PM.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need several crons. The Thursday one is the annoying one.
weekdays other than Thursday
*/15 * * * 1,2,3,5
Weekend rules
*/15 1-10,12-24 * * 6,7
Thursday rules 31 day, 30 day, 28 day months
*/15 1-13,16-24 1-24 1,3,5,7,8,10,12 4
*/15 1-13,16-24 1-23 4,6,9,11 4
*/15 1-13,16-24 1-21 2 4
However, there's also leap years. Any leap year where February ends on a Thursday would need a different rule. so this set of crons fails on Feb 22nd, 2024.
That all being said, I'd strongly suggest you consider woodcock's ingenious suggestion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible now to set multiple crons on a single saved search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is IMPOSSIBLE to select a cron job or other stetting to have the search (not) run the way that you describe. What IS possible is to have it CRASH (and not complete) in the blackout periods. My trick operates from INSIDE the search and will cause the search to CRASH (and therefore fail to even begin to run) during the blackout period. So you set the search to run every 15 minutes and then short-circuit it like this
Your Base Search Here [|makeresults | addinfo
| eval date_hourmin=tonumber(strftime(now(),"%H%M"))
| eval date_wday = strftime(now(), "%a")
| eval blackoutPeriod = if(((date_wday=="Sat") OR (date_wday=="Sun")) AND ((date_hourmin>=1100) AND (date_hourmin<=1200)),"YES","NO")
| eval earliestMaybe = if((blackoutPeriod=="NO"), info_min_time, 1)
| eval latestMaybe = if((blackoutPeriod=="NO"), info_max_time, 0)
| eval search="earliest=" . earliestMaybe . " latest=" . latestMaybe]
The Rest Of Your Search Here
I leave the logic for "last Thursday" to you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For certain values of the term "impossible".
The request requires several crons.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edit the schedule for your search and choose Cron Schedule instead of basic schedule. Specify the days and times that you want the search to run, using Cron notation. For example, to run every 15 minutes every day, except Sat/Sun, do this
*/15 * * * 1,2,3,4,5
You should probably take a look at the documentation topic: Schedule Reports - Design a report schedule using standard cron notation
Frankly, I don't know how to specific "last Thursday of the month" in cron notation.
And if you want to specify that the report can run within a 2 hour window, enter 120 (minutes) in the "Window" setting.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply, however I am looking for more in it
e.g not to run on Sat/Sun from 2 PM to 4PM
or run all week excluding sat/sun 2pm to 4 PM
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
