scheduled search

noun

A standard search which has been scheduled to run on a specific interval, such as daily, every two hours, two hours after midnight on the first of the month, and so on, usually for alerting purposes, as well as summary indexing. You can define these schedule intervals by picking from a predefined list (with values such as "every minute," "every five minutes," and "each day at midnight") or by using standard cron notation.

You can also define "earliest time" and "latest time" ranges, which enable you to set up searches that collect data for intervals that are some set time in the past. For example, you could have a search that runs on the half hour for a search interval of each hour, so when it runs at 2:30pm it is collecting events that Splunk indexed between 1:00pm and 1:59pm.

When scheduled searches are used for alerting, their interval usually corresponds with the search time range. For example, if the search collects data from 20 minutes prior to launch to 10 minutes prior to launch, then you might want it to run on a 10 minute interval for alerting purposes. This way there won't be any gaps or overlaps in the data being searched in each scheduled run.

You can also define real-time searches, which gather data in real time (as events are received by Splunk) and run continuously for an indefinite period. Because they run continuously, there is no need to schedule them.