Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Schedule a report to run each day so that query is not run every time viewed

atornes
Path Finder
‎03-30-2012 10:54 AM

I've created a lot of reports and a number of dashboards, some of which are pretty complex. We don't have splunk setup on the best machine, so some of these queries take a while to run and dashboards can break or take forever to view while all of the reports are generated, sometimes they timeout.

All reports are based on daily data that is pulled in each night around midnight. Is there a way to schedule each report to run early in the morning, say 6am, each day so that every time someone views a dashboard with that report that day, it doesn't have to re-run each time and take forever to load, as its been "pre-run/scheduled"? I don't need it to be emailed to me or anything.

Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-30-2012 11:44 AM

Yes - simply edit each search and check the box for "schedule this search". Under scheduled search, you can choose schedule type "cron". In the cron schedule box put

0 6 * * *

Save your changes. (Don't choose any of the alerts or notifications.) The search will run automatically every morning at 6:00 am.

The dashboard will automatically pick up the cached results. BTW if someone runs the search manually during the day, the dashboard will then pick up the latest results.

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-30-2012 11:44 AM

Yes - simply edit each search and check the box for "schedule this search". Under scheduled search, you can choose schedule type "cron". In the cron schedule box put

0 6 * * *

Save your changes. (Don't choose any of the alerts or notifications.) The search will run automatically every morning at 6:00 am.

The dashboard will automatically pick up the cached results. BTW if someone runs the search manually during the day, the dashboard will then pick up the latest results.

Reply
Solved! Jump to solution

p_splunk
Engager
‎10-10-2012 04:41 AM

hey, i found it out now,
you have to have the specific search saved before and then after "edit search" you have to click "Select a saved search" then u are where lguinn says (i think so 😉

that's how mine worked out,
thx

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎10-05-2012 04:12 PM

In 4.3.3, you can click Edit on the dashboard to put the dashboard in edit mode, then click Edit on the dashboard panel and then Edit Search and Edit in Manager to get to the point that I mentioned above.

However, in all versions of Splunk, you can go to the Manager, choose Searches and Reports and then click the name of the search that you want to edit.

0 Karma
Reply
Solved! Jump to solution

p_splunk
Engager
‎10-05-2012 05:10 AM

when i see my view/dashboard, do i need to click vie result for every search and then create a scheduled search of this search?
beacuase I cannot find the checkbox u are talking about (i have 4.3.3)

thx for answer

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...