Manually Trigger Scheduled Saved Search

sondradotcom · ‎12-01-2010

I'm building some dashboards with panels that refer to scheduled saved searches. To be prudent, I'm scheduling the search to run once an hour. However, as I'm building the dashboard and tweaking the syntax for the saved search, I'd like to be able to manually run the saved search and have the results show up in the dashboard immediately. Right now the panel in the dashboard will only show the most recent scheduled saved search. So, for example:

1) I design a search, save it, schedule it to run hourly, create a dashbhoard, add it as a panel. It shows up -- great. 2) I go back and modify the saved search. Go back to dashboard. Panel still only shows first version of saved search. Must wait 1 hour to see changes.

So, I know I can just temporarily schedule the saved search to run every minute, but that seems inelegant. Is there a more elegant way to manually run a scheduled save search and see the results propagate across the dashboard panels that refer to that saved search?

Thanks! -S.

samlinsongguo · ‎05-22-2017

In the schedule you can do run every hours/days/weeks.... and there is any optino run on cron schedule that is where you can make the report trigger in next min

woodcock · ‎05-13-2017

It is not the same thing BUT this is almost as good for some cases: You can use the Summary Index backfill script from the CLI to fake runs over any period that you like so you can easily validate that it works the way that you expect:

https://docs.splunk.com/Documentation/Splunk/6.5.1/Knowledge/Managesummaryindexgapsandoverlaps

matthieu_araman · ‎06-11-2015

got the same need here.
running in the ui is not what I need.

Having a "shedule once now" link after "run" would be great.
It would allow :
- mail action when used
- for debug or after correcting a scheduled report, it is useful to relaunch it manually without losing the schedule (ie if it runs weekly on a particular day, it should not be changed in the report definition)
-report run in the background as a schedule process like if it was schedule in the future.

having to edit each report to change the cron for one run is painful (and you have to check that time didn't change while you're editing...)

Jason · ‎04-20-2011

To get that first artifact, I always just schedule the search for 1 minute in the future via cron (example: it is now 3:23pm, set it for 24 15 * * *). Then I let it run, generate the saved artifact to check out in my dashboard, then when it's right I set it to the final schedule it needs to have.

MarioM · ‎12-01-2010

in Manager> Searches and Report in right and side of your saved search there is a Run which will run the search. Is it what you looking for?

Dan · ‎12-15-2010

Yeah, the scheduler has to run it to update the report artifact. I think this is an enhancement request that you should file by emailing your use case to support@splunk.com

sondradotcom · ‎12-02-2010

I have tried that, but it doesn't seem to save this manually triggered search in such a way that it overwrites the most recent scheduled run of the same report (and therefore show up in the dashboards that refer to it...).

Manually Trigger Scheduled Saved Search

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms