Splunk® Enterprise

Reporting Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Schedule reports

A scheduled report is a report that runs on a scheduled interval, and which can trigger an action each time it runs. There are three actions available for scheduled reports: Send email, Run a script, and Write to a CSV lookup file.

Report scheduling restrictions

You can only create scheduled reports if your role includes the schedule_search capability. See About defining roles with capabilities in Securing Splunk Enterprise.

Open the Edit Schedule dialog

There are three ways to open the Edit Schedule dialog.

  • After saving a search as a report
  • When you extend a dataset as a scheduled report
  • When you manage an existing report

After saving a search as a report

Use this method to schedule a report right after you create it.

  1. Create a search and run it.
  2. Save the search as a report.
    Do not enable a time range picker. Scheduled reports cannot include time range pickers, because they always run on a set schedule.
  3. In the Your Report Has Been Created dialog, click Schedule.

See Create and edit reports, in this manual.

When you extend a dataset as a scheduled report

Use this method to extend a dataset as a scheduled report.

  1. In the green apps bar, click Datasets.
  2. Click the name of a dataset that you want to schedule as a report.
  3. Select Manage < Schedule Report.

See Dataset types and usage in the Knowledge Manager Manual.

When you manage an existing report

You manage reports with the Reports listing page or the Searches, Reports, and Alerts page in Settings.

  1. Go to the page that you use to manage your report.
    Page Navigation
    Reports listing page In the green apps bar, click Reports.
    Searches, Reports, and Alerts Select Settings > Searches, Reports, and Alerts
  2. Locate the report that you want to schedule.
  3. Select Edit > Edit Schedule.

Alternatively, on the Reports listing page you can expand a report row to access scheduling controls.

  1. On the Reports listing page, locate a report that you want to schedule.
  2. Expand the row for the report.
  3. On the Schedule line, click Edit.

Schedule a report

Scheduled reports cannot include time range pickers. When you schedule a report that includes a time range picker, Splunk software removes the picker from the report.

Scheduled reports can only run as owner. When you schedule a report that has been shared to run as user, Splunk software updates that setting so it runs as owner. See Determine whether to run reports as the report owner or report user.

Prerequisites

Review the following topics.

Steps

  1. Open the Edit Schedule dialog.
  2. Select Schedule Report.
  3. Enter the Schedule for the report.
    You can select a predefined schedule like Run every hour or you can select Run on Cron Schedule and then define a custom schedule with a Cron Expression.
  4. Select the Time range for the report.
    Time range is the time range for which the report collects data. It defaults to the time range that you have set for the report. Specify a new time range to override the default.
  5. (Optional) Select a Schedule Priority for the report.
    Use Schedule Priority to raise the scheduling priority of this search. Use with discretion. Only roles with the edit_search_schedule_priority capability can see Schedule Priority or set it to a value other than Default.
  6. (Optional) Select a Schedule Window for the report to run within.
    When there are many scheduled reports set to run concurrently, you can set Schedule Window to specify how long the report scheduler can defer this report and cause it to yield to higher-importance reports. Only roles with the edit_search_schedule_window capability can see Schedule Window or set it to a value other than No Window.
  7. Click Next to define actions for your scheduled report.

See Define actions for your scheduled report.

Define actions for a scheduled report

When you schedule a report, you can optionally have it perform actions when it runs. There are three actions that scheduled reports can perform. You can define the parameters of those actions.

Action More information
Send email Sends report results via email. The email can go out to multiple recipients. It can provide the results in the body of the email, or as CSV or PDF attachments. You can define the email format.
Run a script Runs a Python script that you define. The script can access the results of each scheduled report job and do things with them, like post them to an external system for further processing, or archive the results on a regular schedule.
Write to a CSV lookup file Writes the results of each run of the report to a CSV lookup file that you provide. You can write over the current contents of the file or append the results to the current contents in the file.

These scheduled report actions are all methods for exporting the results of a scheduled report. For a summary of other search result export methods, see Export search results in the Search Manual.

If you use Splunk Enterprise, you can also configure report email actions in the alert_actions.conf or savedsearches.conf configuration files. Use alert_actions.conf to configure global properties. Use savedsearches.conf to configure individual reports. See Configure alerts in savedsearches.conf in the Alerting Manual.

Define a Send Email action

This action sends an email with information about the report to one or more recipients each time it runs.

You cannot set up a send email action without first configuring email notification for your Splunk deployment in Settings. See Email notification action in the Alerting Manual.

Prerequisites

Steps

  1. Open the Edit Schedule dialog and define the report schedule.
  2. Click Next.
  3. Select Send Email.
    An image of the Edit Schedule dialog. It displays the alert action controls. Send Email is selected. It is set up to deliver an email to one email address each time the report runs. The email will include the name of the report and links to the report and its results.
  4. Provide a comma-separated list of To email recipients.
  5. (Optional) Click Show CC and BCC to enter comma-separated lists of CC, and BCC email recipients.
  6. (Optional) Set the email Priority. Enforcement of email priority depends on your email client.
  7. (Optional) Provide the email Subject and Message.
    You can optionally use tokens in the subject and message text. Tokens can enhance emails with specific information about the report, the report job, or the results captured by that job.
  8. (Optional) Select one or more of the following options to include material in the email.
    Option When selected, adds to email
    Link to Report A link to the related report.
    Link to Results A link to the results for the related report job.
    Search String Displays the search string used by the report.
    Inline... Displays the results as an inline table, a list of raw events, or in CSV file format.
  9. (Optional) Select Attach CSV to attach a CSV file with the results to the email.
  10. (Optional) Select Attach PDF to attach a PDF file with the results to the email.
  11. (Optional) Change the email Type to Plain Text.
    Type is set to HTML & Plain Text by default.
  12. Click Save to save your email action settings.

Example scheduled report email

The following figure shows a scheduled report email with results delivered as text in the body of the email:

6.1 report schedule email.png

Define a Run a Script action

This action runs a script that you provide on each run of the scheduled report. It often used to send report results to an external system.

Prerequisites

Steps

  1. Open the Edit Schedule dialog and define the report schedule.
  2. Click Next.
  3. Select Run a Script.
  4. Provide the Filename of your script.
    The script must be at the following location in your Splunk Enterprise instance: $SPLUNK_HOME/bin/scripts
  5. Click Save to save your script action settings

Example of the Run a Script action

You can set up a Run a Script action that sends results of the report to an external system each time it runs. It does this by running a script that calls an API that sends the report results to the external system.

For security reasons, place all scripts in either of the following locations of your Splunk Enterprise instance:

$SPLUNK_HOME/bin/scripts

$SPLUNK_HOME/etc/<AppName>/bin/scripts

You can also configure running a scheduled report script with a shell script or batch file. Make this configuration in the savedsearches.conf configuration file. See Configure a script for an alert action in the Alerting Manual.

If you are having trouble with your scheduled report scripts, see this excellent topic on troubleshooting alert scripts on the Splunk Community Wiki.

For more information about the Run a script alert action, see Set up alert actions in the Alerting Manual.

Define a Write to a CSV Lookup File action

This action writes the results of each run of the scheduled search to a CSV lookup file that you specify. The results can replace the existing file contents, or they can be appended to the existing file contents.

Prerequisites

Steps

  1. Open the Edit Schedule dialog and define the report schedule.
  2. Click Next.
  3. Select Write to a CSV Lookup File.
  4. Provide a Filename of a CSV lookup file.
    If you provide the name of a CSV lookup file that does not already exist in your Splunk implementation, the Splunk software will create a CSV file with this name on the next run of the scheduled search and begin writing search results to it.
    To see a list of the CSV lookup files currently in your system, select Settings > Lookups > Lookup table files.
  5. (Optional) Select Append new results to append the results returned by a scheduled run of a search to the contents of the CSV file.
    If you do not select Append new results, the contents of the CSV file are replaced with the results of the latest run of the search each time the search runs.
  6. Click Save to save your script action settings.

The Splunk software uses the outputlookup command to write the search results to the CSV lookup file.

Enable others to access a scheduled report

If you have a role that gives you write access to the knowledge objects in your app (such as the Power or Admin roles), you can set or change the report permissions so it is available to other Splunk users at an app or global level. See Set report permissions, in this manual.

For more information about managing permissions for Splunk knowledge objects, read Manage knowledge object permissions in the Knowledge Manager Manual.

Manage the priority of concurrently scheduled reports

Depending on how you configure your Splunk deployment, you might be able to run only one scheduled report at a time. Under this restriction, when you schedule multiple reports to run at approximately the same time, the Splunk search scheduler works to ensure that all of your scheduled reports get run consecutively for the period of time over which they are supposed to gather data. However, there are cases where you may need to have certain reports run ahead of others in order to ensure that current data is obtained, or to ensure that gaps in data collection do not occur (depending on your needs).

You can configure the priority of scheduled reports with the Schedule Window and Schedule Priority settings. See Prioritize concurrently-scheduled reports in Splunk Web.

PREVIOUS
Accelerate reports
  NEXT
Embed scheduled reports

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters