Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you delay a report execution to avoid missing data due to indexing delays?

alicepessani
Explorer
‎10-31-2018 11:39 AM

Hello,

I'm trying to launch a report through the Search and Reporting app, but I need to insert a delay in the report execution in order to avoid missing data due to an indexing delays.

As by now, my report is scheduled as following:

  • I want to launch the report every day every half an hour, so I set Cron Expression-->0,30 star star star star

  • I want to launch the report for the last 30 minutes, so I set through Select Time Range --> Earliest 30 minutes ago (with Beginning of minute flagged) and Latest with Beginning of current second set

Example --> I want to run the report at 8 PM and consider a search window of last 30 minutes from 7:30 PM to 8:00 PM (the same at 8:30 PM, 9:00 PM 9:30 PM,....)

But, in this way, I am not counting all data/events due to an indexing delay. For this reason, I need to find a solution that:

  1. Allows me to insert a delay in report execution --> e.g 1 minute delay (so if in the before example the report was scheduled at 8 PM I want to execute it at 8:01 PM)
  2. Allows me to set the search window always as the last 30 minutes of the current half an hour (e.g. in my example if I execute the report at 8:01 PM my search window should be always from 7:30 PM to 8:00 PM; furthermore I want to set the earliest of the window with "Beginning of minute" and Latest with "Beginning of current second".

Is there a way to satisfy my requirement?

I know that in ITSI there is the possibility to add a "Lag" to perform a search with a delay in reference to the time window of the base/ad hoc search of a Service. Is there the same functionality also in Search and reporting App?

Thanks for a feedback.

Alice

Reply

darrenfuller
Contributor
‎11-05-2018 08:06 AM

Hi @alicepessani,

I believe I understand your question to be how do you run a report delayed, but have to do what you are looking for, you should do the following:

To set the report to delay a minute to allow for your indexing delay, set your cron schedule to be something like:

1,31,*,*,*

Then for the time picker, to set the report to run for 30 minutes starting at :00 or :30, rather than selecting "Last 30 minutes" go to Advanced and set

earliest=-31m@m latest=-61m@m

(the @m anchors the selection at :00 seconds)

Make sure you set your time window to 0 to ensure the report runs on time and not in a window.

Good luck!

0 Karma
Reply

alicepessani
Explorer
‎11-05-2018 09:02 AM

Hi @darrenfuller ,

thanks for your reply, but I have already discard this solution for the following reason: in this way, if I set the report with cron schedule 1,31,,,* , but then if my report will run at 20:03 for example due to the fact that other report are running in parallel and are absorbing resources my time window of search will not be from 19:30 to 20 but from 19:32 to 20:02 ( please consider that we would like to leave the choice of the window in which start the Scheduled Report to Splunk Scheduler in order to avoid skipped Searches and this is just the first of a series of report that will be scheduled)

Could you kindly suggest me a way to obtain my requirement?

Regards,

Alice

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...