Solved: Monthly Saved Search For Previous Month

peasead · ‎12-18-2012

I'd like to create a saved search that run monthly for the previous month. I know how to do that in the Search app, but when creating a saved search, I don't see those options.

I am going to try and schedule cron 0 0 1 * * and fill the Start Time with "-1mon@mon" and the End Time with "@mon".

Is that going to work?

lguinn2 · ‎12-18-2012

Yes, just run the search in the Search app, and then save it as a scheduled search. Your cron schedule will have the search run at 00:00 on the first day of each month; that seems okay, although I would make it

10 0 1 * *

So that it runs at 10 minutes past midnight. That way, any data that was enroute from the forwarders will arrive and be indexed before the search runs.

The start and end time look correct.

View solution in original post

lguinn2 · ‎12-18-2012

Yes, just run the search in the Search app, and then save it as a scheduled search. Your cron schedule will have the search run at 00:00 on the first day of each month; that seems okay, although I would make it

10 0 1 * *

So that it runs at 10 minutes past midnight. That way, any data that was enroute from the forwarders will arrive and be indexed before the search runs.

The start and end time look correct.

Monthly Saved Search For Previous Month

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio