topic My search does not work if it is scheduled to run for generating lookup table in Splunk Search https://community.splunk.com/t5/Splunk-Search/My-search-does-not-work-if-it-is-scheduled-to-run-for-generating/m-p/76967#M19476 <P>Hi,</P> <P>I have following lookup cron job defined in savedsearches.conf (the search condition is simplified for this discussion):</P> <P>[AD Password Change by Domain]</P> <P>cron_schedule = */15 * * * *</P> <P>enableSched = 1</P> <P>dispatch.earliest_time = -3d</P> <P>dispatch.latest_time = now</P> <P>run_on_startup = true</P> <P>dispatch.lookups = 0</P> <P>description = Create AD password change statistics lookup file.</P> <P>search = EventCode=4724 | eval time=strftime(_time, "%c") | stats dc(time) as password_changes by domain | outputlookup stat_ad_password_changes_by_domain</P> <P>It is expected to run every 15 minutes and refresh the stat_ad_password_changes_by_domain.csv file. But every time it runs, stat_ad_password_changes_by_domain.csv file is set to size 0(there is no content in such file).</P> <P>The search itself works. If I copy the search (EventCode=4724 | eval time=strftime(_time, "%c") | stats dc(time) as password_changes by domain | outputlookup stat_ad_password_changes_by_domain) and run it from Splunk console, it works and displays following result:</P> <P>domain password_changes<BR /><BR /> MYDOMAIN.COM 1 </P> <P>In the mean time, stat_ad_password_changes_by_domain.csv file contains the right content. But after 15 minutes, the csv file size is changed to 0 since cron job run such search and refresh the csv file.</P> <P>I do have multiple other good lookup tables. If I switch this search with a good lookup table, it breaks such good lookup table. So, this search really has problem when it is run from cron for generating lookup table although it works fine when running from Splunk console. </P> <P>Anybody has any idea why this search has problem? Also in general, what is the way to debug such problem? Since running such search from Splunk console is working, it has to be related to cron job for generating lookup table. But i have no idea how to debug this.</P> <P>Thanks in advance!</P> <P>John</P> Mon, 28 Sep 2020 11:57:07 GMT tonopahtaos 2020-09-28T11:57:07Z My search does not work if it is scheduled to run for generating lookup table https://community.splunk.com/t5/Splunk-Search/My-search-does-not-work-if-it-is-scheduled-to-run-for-generating/m-p/76967#M19476 <P>Hi,</P> <P>I have following lookup cron job defined in savedsearches.conf (the search condition is simplified for this discussion):</P> <P>[AD Password Change by Domain]</P> <P>cron_schedule = */15 * * * *</P> <P>enableSched = 1</P> <P>dispatch.earliest_time = -3d</P> <P>dispatch.latest_time = now</P> <P>run_on_startup = true</P> <P>dispatch.lookups = 0</P> <P>description = Create AD password change statistics lookup file.</P> <P>search = EventCode=4724 | eval time=strftime(_time, "%c") | stats dc(time) as password_changes by domain | outputlookup stat_ad_password_changes_by_domain</P> <P>It is expected to run every 15 minutes and refresh the stat_ad_password_changes_by_domain.csv file. But every time it runs, stat_ad_password_changes_by_domain.csv file is set to size 0(there is no content in such file).</P> <P>The search itself works. If I copy the search (EventCode=4724 | eval time=strftime(_time, "%c") | stats dc(time) as password_changes by domain | outputlookup stat_ad_password_changes_by_domain) and run it from Splunk console, it works and displays following result:</P> <P>domain password_changes<BR /><BR /> MYDOMAIN.COM 1 </P> <P>In the mean time, stat_ad_password_changes_by_domain.csv file contains the right content. But after 15 minutes, the csv file size is changed to 0 since cron job run such search and refresh the csv file.</P> <P>I do have multiple other good lookup tables. If I switch this search with a good lookup table, it breaks such good lookup table. So, this search really has problem when it is run from cron for generating lookup table although it works fine when running from Splunk console. </P> <P>Anybody has any idea why this search has problem? Also in general, what is the way to debug such problem? Since running such search from Splunk console is working, it has to be related to cron job for generating lookup table. But i have no idea how to debug this.</P> <P>Thanks in advance!</P> <P>John</P> Mon, 28 Sep 2020 11:57:07 GMT https://community.splunk.com/t5/Splunk-Search/My-search-does-not-work-if-it-is-scheduled-to-run-for-generating/m-p/76967#M19476 tonopahtaos 2020-09-28T11:57:07Z Re: My search does not work if it is scheduled to run for generating lookup table https://community.splunk.com/t5/Splunk-Search/My-search-does-not-work-if-it-is-scheduled-to-run-for-generating/m-p/76968#M19477 <P>If the search running in splunk console is fine, did you check earliest time and latest time? If both time is same as you did in splunk web console, you will need to case open to splunk support.</P> Mon, 18 Jun 2012 11:15:17 GMT https://community.splunk.com/t5/Splunk-Search/My-search-does-not-work-if-it-is-scheduled-to-run-for-generating/m-p/76968#M19477 Takajian 2012-06-18T11:15:17Z