Schedule saved searches
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Schedule saved searches
Before you can define a search-based alert, you first have to save the search and then schedule it to be run automatically by Splunk on a regular interval.
To learn more about saving searches, see "Save searches and share search results" in this manual.
Scheduling a saved search involves defining the interval upon which it runs, such as every half hour, every day at noon, or at midnight on the first Monday of the month.
This page discusses search scheduling using Splunk Web. For a discussion of managing search scheduling and alerting through the CLI, see "How alerting works" in the Admin manual.
Schedule a search
You can schedule a search at the same time that you save it, or you can schedule it at a later point.
If you schedule the search at the same time that you save it, you'll find all the controls in the Save Search window, which comes up after you select Save Search for a completed or finalized search. Click the Schedule this search box to start.
On the other hand, if you want to schedule a previously saved search, you need to go to the Saved Searches page in the Manager:
1. Click the Manager link in the upper right.
2. Select Saved Searches.
3. Locate the search you want to schedule (or update the schedule of) and select its name. If there is a long list of searches, use the filter at the top of the Save Searches page to help find the one you want to work with. You can filter by app context (the app that the search is associated with, if it hasn't been shared globally to all apps).
Note: You can only edit saved searches that you have created or saved searches that have been shared with you and which you have the permission to modify. Be aware that most searches are associated with a specific app unless they have been promoted to global availability across all apps. For more information about handling sharing and promotions for Splunk knowledge objects such as saved searches, see "Managing Saved Search Sharing and Promotion" in this manual.
After you reach the Saved Search window for a new or existing search, the procedure for setting up a saved search schedule is the same.
After entering or reviewing the basic details for the search (such as the Name, Description, and time range), click the Schedule a search checkbox. This reveals the search scheduling controls.
Then, pick a method for defining your schedule interval. You can choose Basic or Cron.
- Basic lets you choose from a list of predefined intervals to run your search on. For example, you can have the search be scheduled to run every: minute, 5 minutes, 30 minutes, hour, 12 hours, day at midnight, day at 4pm, day at 6pm, or Saturday at midnight.
- Cron lets you use standard cron notation to define your scheduled search interval.
Here are some cron examples:
*/5 * * * * : Every 5 minutes */30 * * * * : Every 30 minutes 0 */12 * * * : Every 12 hours, on the hour */20 * * * 1-5 : Every 20 minutes, Monday through Friday 0 9 1-7 * 1 : First Monday of each month, at 9am.
Add a specific time range to the search
To ensure that you get all the results within a time period, you may want to set the Time Range fields in the search definition (Earliest time and Latest time) to include a specific time range in your search. This can be especially true for distributed search setups where event data may not reach the indexer exactly when it is generated. In this case, it can be a good idea to schedule your searches with a few minutes of delay.
This example sets up a search that runs every hour at the half hour, but collects an hour's worth of event data, beginning an hour and a half before the search is run. (So if a search kicks off at 3:30pm, it is collecting the event data that Splunk indexed from 2:00pm to 3:00pm.)
- Set an Earliest time value of -90m and a Latest time value of -30m.
- Set a Cron notation of
30 * * * *to have your search run every hour on the half hour.
For more information about the syntax for defining time ranges in the search definition, see "Syntax for relative time modifiers" in this manual.
Set the retention time for the completed searches
If your scheduled search runs on a frequent basis you may not want to keep the completed search results in your system for very long, especially if you are setting it up to alert you only under specific conditions, and you have arranged for the results of the alerting search to be sent to you. Use the Retention time field to set the amount of time that Splunk stores the completed searches resulting from the scheduled search.
Enter either <number> (for seconds) or <number>p (for periods). A period is equivalent to the time range between the scheduled run times for the search. So if a search is scheduled to run every hour, and the retention time is 10p, that means each completed scheduled search is kept for 10 hours.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.