Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Cron job for below search ?

m7787579
New Member
‎07-27-2017 11:33 PM

HI Splunker,

I have to run my search 11 times in a day in below mentioned timings one search is capturing data from last 12 hours and rest 10 searches capturing last 1 hours data.

One way of doing this is to clone the search and create two searches with same name.

1)1 Report for first search capturing last 12 hours data.
2)1 Report for last 10 searches capturing last 1 hour data

Is there any way of without changing/cloning the search i can do this ?

XYZ Search   
Number  Run At      Start time  End time
1   07:47:00        17:47:00    07:47:00
2   08:47:00        07:47:00    08:47:00
3   09:47:00        08:47:00    09:47:00
4   10:47:00        09:47:00    10:47:00
5   11:47:00        10:47:00    11:47:00
6   12:47:00        11:47:00    12:47:00
7   13:47:00        12:47:00    13:47:00
8   14:47:00        13:47:00    14:47:00
9   15:47:00        14:47:00    15:47:00
10  16:47:00        15:47:00    16:47:00
11  17:47:00        16:47:00    17:47:00
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-28-2017 04:38 AM

Hi
you could:

  • schedule your alert to 47 7,8,9,10,11,12,13,14,15,16,17 * * *

  • set the time period of your search to the last 12 hours

  • and modify your search in this way

    your_search
    | eval hour=if(tonumber(strftime(now(),"%H"))=7,(tonumber(strftime(_time,"%H"))-12),(tonumber(strftime(_time,"%H"))-1))
    | where date_hour>hour
    | ...

In this way if the search is executed at 7, takes events of last 12 hours, if it's executed at a different hour takes events of last hour

Bye.
Giuseppe

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-28-2017 01:16 AM

For the clone approach, make sure you have the bulk of the search stored in a macro to avoid having code duplication - maintenance nightmare.

Without cloning, you'd have to make the search self-aware and inspect its time range as well as schedule time in order to once a day deviate and also search for an additional 13 hours. That's possible to build using subsearches to generate earliest and latest, but from a maintenance and robustness point of view your two searches might be better.
In a way, you are running two different searches. One looks at an entire off-peak time / night, the other looks at a single hour. Depending on what your searches actually are doing, the two might be very different indeed.

Even better, step back a bit and examine your requirements if there's a different approach. To help here we'd need to know more about that.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...