Reputation: 375
How to schedule a search to run every 5 minutes in Splunk?
I am searching for some data on splunk for a 5 minute time range. I want this query to run after every 5 minutes in splunk on it's own. How can this be done? I tried finding it on splunk but all I can see is how to schedule alerts and reports. And after the query is activated, how can we access the produced results generated by the query?
Upvotes: 3
Views: 16328
Answers (1)
Reputation: 2313
Technically you can have a scheduled search, but it only makes sense to talk about a report or an alert. Your scheduled approach is actually the best-practice (as there is also the possibility for a real-time search of the last 5 minutes).
- If you just want a report, you tell Splunk to email it to you either as an HTML table or as a PDF document.
- If you only want to be alerted if some condition matches (i.e. more than X results) then you want to set up an alert.
- Scheduled searches are available, but they are a bit tricky to access (imho)
In the alerts/reports schedule options you have to set the following:
- Earliest:
-6m@m - Latest:
-1m@m - Cron expression:
*/5 * * * *
Don't forget to set some trigger condition (for an alert) or a delivery method (for the report) ;)
Upvotes: 12
Related Questions
- How to search a given time range for every day in Splunk?
- How to run a query in every 5 minute in SQL Server
- Splunk - Assigning custom time
- How can I run a cron job every 5 minutes starting from a time other than 0 minutes?
- Splunk: Schedule alert to run every 10 minutes
- Run a cronjob every 5 minutes on weekdays between 9:30AM to 15:30PM?
- How to create a cronjob that runs every 5 minutes from 8:30 AM to 9:30 PM?
- Create cron job for every five minutes?
- How to run the schedule every five minutes in Logstash 5.0?
- Run cron every 5 minutes in specific time span