Splunk® Enterprise

Reporting Manual

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Schedule reports

A scheduled report is a report that runs on a scheduled interval, and which can trigger an action each time it runs. You can define up to four actions for a scheduled report:

  • Send a report summary by email
  • Write the report results to a CSV lookup file
  • Set up a webhook that sends a message to an external web resource, such as a chatroom
  • Log and index searchable events

You can create scheduled reports only if your role includes the schedule_search capability. See About defining roles with capabilities in Securing Splunk Enterprise.

Open the Edit Schedule dialog

Open the Edit Schedule dialog to define a schedule for an existing report and optionally set up actions that are triggered each time the report runs on its schedule.

There are three ways to open the Edit Schedule dialog:

  • After saving a search as a report
  • When you extend a dataset as a scheduled report
  • When you manage an existing report

After saving a search as a report

Use this method to schedule a report right after you create it.

  1. Create a search and run it.
  2. Save the search as a report.
    Do not enable a time range picker. Scheduled reports cannot include time range pickers, because they always run on a set schedule.
  3. Click Schedule.

See Create and edit reports.

When you extend a dataset as a scheduled report

Use this method to extend a dataset as a scheduled report.

  1. In the Apps bar, click Datasets.
  2. Select Manage > Schedule Report for the dataset that you want to schedule as a report.

See Dataset types and usage in the Knowledge Manager Manual.

When you manage an existing report

You manage reports with the Reports listing page or the Searches, Reports, and Alerts page in Settings.

  1. Go to the page that you use to manage your report.
    Page Navigation
    Reports listing page In the Apps bar, click Reports.
    Searches, Reports, and Alerts Select Settings > Searches, Reports, and Alerts
  2. Select Edit > Edit Schedule for the report that you want to schedule.

Alternatively, on the Reports listing page you can expand a report row to access scheduling controls.

  1. Go to the Reports listing page.
  2. Expand the row for the report that you want to schedule.
  3. On the Schedule line, click Edit.

Schedule a report

Scheduled reports cannot include time range pickers. When you schedule a report that includes a time range picker, Splunk software removes the picker from the report.

Scheduled reports can run only as owner. When you schedule a report that has been shared to run as user, Splunk software updates that setting so it runs as owner. See Determine whether to run reports as the report owner or report user.

Prerequisites

Review the following topics:

Steps

  1. Open the Edit Schedule dialog.
  2. Select Schedule Report.
  3. Select the Schedule for the report.
    You can select a predefined schedule like Run every hour or you can select Run on Cron Schedule and then define a custom schedule with a Cron Expression.
  4. Select the Time range for the report.
    Time range is the time range for which the report collects data. It defaults to the time range that you have set for the report. Specify a new time range to override the default.
  5. (Optional) Select a Schedule Priority for the report.
    Use Schedule Priority to raise the scheduling priority of this search. Only roles with the edit_search_schedule_priority capability can see Schedule Priority or set it to a value other than Default.

    Use Schedule Priority with discretion. It is only effective when a relatively small number of scheduled reports have raised priorities.

  6. (Optional) Select a Schedule Window for the report to run within.
    When there are many scheduled reports set to run concurrently, you can set Schedule Window to specify how long the report scheduler can defer this report and cause it to yield to higher-importance reports. Only roles with the edit_search_schedule_window capability can see Schedule Window or set it to a value other than No Window.
  7. (Optional)Click Add Actions to define actions for your scheduled report.
  8. Click Save to save your schedule settings.

See Define actions for your scheduled report.

Define actions for a scheduled report

When you schedule a report, you can optionally define actions that are triggered each time it runs on its schedule. For example, if you add an email notification action to a scheduled report, each time that report runs the Splunk software will send an email with the results of the report to a set of stakeholders.

  • To add actions to a scheduled report, open the Edit Schedule dialog and select options from the Add Actions menu.

Scheduled report actions are documented in the Alerting Manual.

To learn about See
Logging and indexing searchable events Log events
Writing the results of the triggered alert or scheduled report to a CSV lookup file Output results to a CSV lookup
Sending report summaries by email Email notification action
Displaying a message in a chat room or updating another web resource Use a webhook alert action

The Run a script action is deprecated. As an alternative you can define customized actions that can include scripts.

See About custom alert actions in the Alerting Manual.

All of these scheduled report actions let you export the results of a scheduled report. For a summary of other search result export methods, see Export search results in the Search Manual.

Enable others to access a scheduled report

If you have a role that gives you write access to the knowledge objects in your app, such as the Power or Admin roles, you can set or change the report permissions so it is available to other Splunk users at an app or global level. See Set report permissions.

For more information about managing permissions for Splunk knowledge objects, see Manage knowledge object permissions in the Knowledge Manager Manual.

Manage the priority of concurrently scheduled reports

Depending on how you configure your Splunk deployment, you might be able to run only one scheduled report at a time. Under this restriction, when you schedule multiple reports to run at approximately the same time, the Splunk search scheduler works to ensure that all of your scheduled reports get run consecutively for the period of time over which they are supposed to gather data. However, there are cases where you need to run some reports ahead of others in order to ensure that current data is obtained, or to ensure that gaps in data collection do not occur.

You can configure the priority of scheduled reports with the Schedule Window and Schedule Priority settings. See Prioritize concurrently-scheduled reports in Splunk Web.

Last modified on 28 August, 2017
PREVIOUS
Accelerate reports
  NEXT
Embed scheduled reports

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.5, 8.0.10, 7.2.1, 7.0.1, 8.0.4, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 8.0.6, 8.0.7, 8.0.8


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters