Running the same search every day gets tedious. Scheduled reports run your searches automatically on a schedule and deliver results without manual intervention. They're the foundation of automated monitoring and reporting.
What Is a Scheduled Report?
A scheduled report is a saved search configured to run automatically at set intervals. Instead of you running the search daily, Splunk runs it and can deliver results via email, store them in a summary index, or execute other actions.
Use scheduled reports to generate daily security summaries, track performance metrics, check system health, or produce reports for stakeholders. Anything you find yourself searching for regularly is a candidate for a scheduled report.
Creating a Scheduled Report
Start with a search that works. Run it manually, verify the results look correct, then save it. Click "Save As" and choose "Report" as the type. Give it a meaningful name like "Daily Error Summary" rather than "Report1".
Next, configure the schedule. Choose how often it runs: every 5 minutes, hourly, daily, weekly, or on a custom schedule. For a daily report, select "Daily" and choose the time it should run.
Choosing Your Schedule Wisely
Don't schedule reports too frequently. A report running every 5 minutes creates unnecessary load on your Splunk instance. Schedule hourly or daily unless you specifically need high frequency.
Consider your audience's needs. A security team might want an hourly report. An executive summary might run daily. A monthly trend report runs monthly. Match the schedule to how actionable the information is.
Understanding Report Time Ranges
Scheduled reports search a time range. By default, this is the time since the last run. For a daily report running at 9 AM, it searches the 24 hours since yesterday's 9 AM.
You can customize this. Some reports search "last 30 days" to show rolling trends. Others search "today" to show just today's data. The time range depends on what analysis you're doing.
Want to go deeper?
No Nonsense Introduction to Splunk
Skip the endless docs rabbit hole. This hands-on course takes you from zero to confident with Splunk searches, dashboards, and alerts. Taught by a Splunk Certified Architect with over 10 years of real-world experience.
View the course →Scheduling Reports With Cron Expressions
For complex schedules, use cron expressions. Instead of choosing "daily at 9 AM", define: 0 9 * * * which means 9 AM every day.
Cron is powerful. 0 9 * * 1 runs Monday at 9 AM. 0 0 1 * * runs the first of each month at midnight. Learn cron syntax to create sophisticated schedules.
Email Delivery of Reports
Configure reports to email results automatically. Select who should receive the report and whether to attach results or include them in the email body.
You can customize the email subject and add a message. Something like "Daily Error Summary for 2026-05-31" is more useful than the default subject.
Report Acceleration for Performance
Like searches, reports can be accelerated. Enable acceleration on reports that run frequently and don't need completely fresh results. The first run builds the acceleration, subsequent runs are much faster.
This trades freshness for speed. An acceleration built hourly provides data up to one hour old but runs nearly instantly.
Conditional Report Triggers
You can configure reports to run only if certain conditions are met. Instead of always running a report, have it run only if previous results contained events.
This prevents empty report emails. If a report finds nothing interesting, why bother running and sending it?
Saving Report Results
Configure reports to save results to a summary index. This creates a searchable history of report results over time. Later, search the summary index to see trends in what the report found.
Summary indexes are perfect for building "reports about reports". Track how an error rate changes over days or weeks by graphing summary index data.
Adding Actions to Reports
Like alerts, reports can trigger actions. Send email, post to Slack, create a ticket in your ticketing system, or run a script. Configure these actions to happen automatically when the report runs.
A security team might have a report that triggers if it finds suspicious activity. The report creates an incident automatically without anyone needing to read the email.
Report Permissions and Sharing
Set permissions on your report to control who can see and run it. Save reports to specific apps so only team members with access to that app can run them.
Shared reports should have clear names and descriptions so others understand what they do.
Monitoring Report Runs
Splunk keeps a history of when reports run and whether they succeeded. If a report fails, Splunk logs the error. Review this history to catch problems.
If a report hasn't run in days, something is wrong. Set up an alert to notify you if scheduled reports aren't completing.
Optimizing Report Performance
Reports run on a schedule, not on-demand. You can optimize them differently than searches. A report running once daily can afford to search more data or use more complex logic than a search users run manually.
However, don't make reports unnecessarily complex. They should complete in minutes, not hours.
Report Throttling
Like alerts, reports can throttle duplicate results. If the same event triggers the report's action repeatedly, throttling ensures you're not overwhelmed with notifications.
Configure throttle duration based on how often you want notifications for ongoing issues.
Scheduling Reports With Dependencies
Some reports depend on others. One report generates a summary, then a second report analyzes that summary. Splunk lets you schedule reports with dependencies so the first completes before the second runs.
This ensures your reporting pipeline processes data in the right order.
Real-World Report Examples
A SOC team schedules a report that runs hourly, searches the last 24 hours, counts failed logins per user, emails the team if any user exceeds a threshold, and saves results to a summary index for trend analysis.
A system administration team schedules a daily report showing disk usage across all servers, automatically alerts if any server exceeds 85% full, and emails executives a formatted summary.
Report Best Practices
Keep reports focused. A report should answer a specific question or show specific metrics. Multi-purpose reports become unwieldy.
Test reports before deploying. Run them manually to verify they produce the expected results. Check email formatting. Confirm actions execute correctly.
Document your reports. Why does this report exist? What should someone do with its results? This helps with maintenance and handoffs.
Advanced Reporting Workflows
Combine multiple reports with different schedules to create comprehensive monitoring systems. Use summary indexes to aggregate report results. Build dashboards from summary indexes to visualize trends.
As you build more reports, you'll develop sophisticated workflows where different reports feed each other, creating a monitoring pipeline.
Next Steps in Automated Reporting
You now understand how to automate searches and generate reports on a schedule. Start with simple daily reports to build familiarity. Expand to more frequent reports and complex actions.
Combine scheduled reports with alerts, dashboards, and summary indexes to build a comprehensive monitoring and reporting infrastructure for your organization.
Ready to master advanced Splunk reporting and automation? Explore our Introduction to Splunk course for comprehensive training in scheduled searches and reporting workflows.
Ready to level up?
No Nonsense Introduction to Splunk
Learn Splunk the practical way. No death-by-slides, no waffle. Just focused video demos with real data and a structured path from installation to dashboards and alerts. From just $4.99 with lifetime access.
Start the course for $4.99 →Relevant lessons in the course