The free version of Splunk lacks the capability to do scheduled reports and alerting. However, it has a very capable API that can be simply accessed using curl. I wrote some batch files to access these APIs and scheduled them to run periodically. One grabs the last alerts off of the IDS and the other alerts on Hard Drive Errors.
@echo off set tdate=%date:/=-% set tdate=%tdate: =% set ttime=%time::=_% set ttime=%ttime: =T% set ttime=%ttime:.=-% call :doit IDSmalware5m call :doit DiskErrors5m goto :EOF :doit curl -s -k https://splunkserver:8089/services/search/jobs -d"search=| savedsearch %1"|grep sid |sed "s///g"| sed "s///g" > %temp%\splunk-alert-%1-%tdate%%ttime%.txt for /f %%i in (%temp%\splunk-alert-%1-%tdate%%ttime%.txt) do call :loop %%i goto :EOF :loop ::echo "%1" curl -s -k https://splunkserver:8089/services/search/jobs/%1|grep "
1" > nul if errorlevel 1 sleep 2 && goto :loop curl -s -k h"ttps://splunkserver:8089/services/search/jobs/%1/results?output_mode=csv" goto :EOF