Schedule reports
A scheduled report is a report that runs on a scheduled interval, and which can trigger an action each time it runs. You can define up to four actions for a scheduled report:
- Send a report summary by email
- Write the report results to a CSV lookup file
- Set up a webhook that sends a message to an external web resource, such as a chatroom
- Log and index searchable events
You can create scheduled reports only if your role includes the schedule_search
capability. See About defining roles with capabilities in Securing Splunk Enterprise.
Open the Edit Schedule dialog
Open the Edit Schedule dialog to define a schedule for an existing report and optionally set up actions that are triggered each time the report runs on its schedule.
There are three ways to open the Edit Schedule dialog:
- After saving a search as a report
- When you extend a dataset as a scheduled report
- When you manage an existing report
After saving a search as a report
Use this method to schedule a report right after you create it.
- Create a search and run it.
- Save the search as a report.
Do not enable a time range picker. Scheduled reports cannot include time range pickers, because they always run on a set schedule. - Click Schedule.
When you extend a dataset as a scheduled report
Use this method to extend a dataset as a scheduled report.
- In the Apps bar, click Datasets.
- Select Manage > Schedule Report for the dataset that you want to schedule as a report.
See Dataset types and usage in the Knowledge Manager Manual.
When you manage an existing report
You manage reports with the Reports listing page or the Searches, Reports, and Alerts page in Settings.
- Go to the page that you use to manage your report.
Page Navigation Reports listing page In the Apps bar, click Reports. Searches, Reports, and Alerts Select Settings > Searches, Reports, and Alerts - Select Edit > Edit Schedule for the report that you want to schedule.
Alternatively, on the Reports listing page you can expand a report row to access scheduling controls.
- Go to the Reports listing page.
- Expand the row for the report that you want to schedule.
- On the Schedule line, click Edit.
Schedule a report
Scheduled reports cannot include time range pickers. When you schedule a report that includes a time range picker, Splunk software removes the picker from the report.
Scheduled reports can run only as owner. When you schedule a report that has been shared to run as user, Splunk software updates that setting so it runs as owner. See Determine whether to run reports as the report owner or report user.
Prerequisites
Review the following topics:
- Open the Edit Schedule dialog
- Use cron expressions for scheduling in the Alerting Manual
- Prioritize concurrently scheduled reports in Splunk Web
Steps
- Open the Edit Schedule dialog.
- Select Schedule Report.
- Select the Schedule for the report.
You can select a predefined schedule like Run every hour or you can select Run on Cron Schedule and then define a custom schedule with a Cron Expression. - Select the Time range for the report.
Time range is the time range for which the report collects data. It defaults to the time range that you have set for the report. Specify a new time range to override the default. - (Optional) Select a Schedule Priority for the report.
Use Schedule Priority to raise the scheduling priority of this search. Only roles with theedit_search_schedule_priority
capability can see Schedule Priority or set it to a value other than Default.
Use Schedule Priority with discretion. It is only effective when a relatively small number of scheduled reports have raised priorities.
- (Optional) Select a Schedule Window for the report to run within.
When there are many scheduled reports set to run concurrently, you can set Schedule Window to specify how long the report scheduler can defer this report and cause it to yield to higher-importance reports. Only roles with theedit_search_schedule_window
capability can see Schedule Window or set it to a value other than No Window. - (Optional)Click Add Actions to define actions for your scheduled report.
- Click Save to save your schedule settings.
See Define actions for your scheduled report.
Define actions for a scheduled report
When you schedule a report, you can optionally define actions that are triggered each time it runs on its schedule. For example, if you add an email notification action to a scheduled report, each time that report runs the Splunk software will send an email with the results of the report to a set of stakeholders.
- To add actions to a scheduled report, open the Edit Schedule dialog and select options from the Add Actions menu.
Scheduled report actions are documented in the Alerting Manual.
To learn about | See |
---|---|
Logging and indexing searchable events | Log events |
Writing the results of the triggered alert or scheduled report to a CSV lookup file | Output results to a CSV lookup |
Sending report summaries by email | Email notification action |
Displaying a message in a chat room or updating another web resource | Use a webhook alert action |
The Run a script action is deprecated. As an alternative you can define customized actions that can include scripts.
See About custom alert actions in the Alerting Manual.
All of these scheduled report actions let you export the results of a scheduled report. For a summary of other search result export methods, see Export search results in the Search Manual.
Enable others to access a scheduled report
If you have a role that gives you write access to the knowledge objects in your app, such as the Power or Admin roles, you can set or change the report permissions so it is available to other Splunk users at an app or global level. See Set report permissions.
For more information about managing permissions for Splunk knowledge objects, see Manage knowledge object permissions in the Knowledge Manager Manual.
Manage the priority of concurrently scheduled reports
Depending on how you configure your Splunk deployment, you might be able to run only one scheduled report at a time. Under this restriction, when you schedule multiple reports to run at approximately the same time, the Splunk search scheduler works to ensure that all of your scheduled reports get run consecutively for the period of time over which they are supposed to gather data. However, there are cases where you need to run some reports ahead of others in order to ensure that current data is obtained, or to ensure that gaps in data collection do not occur.
You can configure the priority of scheduled reports with the Schedule Window and Schedule Priority settings. See Prioritize concurrently-scheduled reports in Splunk Web.
Accelerate reports | Make scheduled reports durable to prevent event loss |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!