Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

clicking "View results in Splunk" in mail notification gives

thanikeshn
Explorer
‎09-22-2024 06:16 AM

The search you requested could not be found.

The search has probably expired or been deleted.

Clicking "Rerun search" will run a new search based on the expired search's search string in the expired search's original time period. Alternatively, you can return back to Splunk.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jawahir007
Communicator
‎09-22-2024 06:38 AM

In Splunk, the error message "The search you requested could not be found" typically indicates an issue related to accessing or locating a saved search or search job. Here are some common reasons for this error and possible solutions:

1. Expired Search Jobs

  • Saved search jobs in Splunk have a Time to Live (TTL) value, after which they expire and are deleted.
  • If the job you are trying to access has already expired, Splunk will display this error.
  • Solution: Try rerunning the search or adjusting the TTL of the search job for future cases.

 

jawahir007_0-1727012384284.png

When you open the saved search, you'll find a section called 'Job Settings.' Inside that, there's an option labeled 'lifetime,' which allows you to set the duration to either 10 minutes or 7 days. This might be useful for what you're trying to achieve.

jawahir007_1-1727012441953.png

 

Refer this link for more info :  https://docs.splunk.com/Documentation/Splunk/9.2.1/Search/Extendjoblifetimes

2. Job ID Not Found

  • If you're trying to view a specific search job using its ID (e.g., via the URL or search job history), the job might not exist anymore, or the ID could be incorrect.
  • Solution: Double-check the job ID or re-run the search to generate a new job ID.

3. Permissions or Access Issues

  • The saved search might have been moved, renamed, or deleted, or you may not have the necessary permissions to view it.
  • Solution: Verify that you have the correct permissions to access the saved search and ensure that it still exists.

4. Corrupted Search Job

  • In rare cases, search jobs might become corrupted or incomplete, causing Splunk to fail when trying to load the search results.
  • Solution: If possible, rerun the search to create a fresh job.

5. App Context Change

  • If a saved search was created in a different app context (e.g., in one Splunk app and you're trying to access it from another), Splunk might not be able to find the search.
  • Solution: Switch to the app where the search was created, or ensure the search is shared across apps.

6. Search Scheduling Conflicts

  • If the saved search is scheduled and there was an issue during one of its scheduled runs, Splunk might show this error if it can't retrieve the job.
  • Solution: Review the schedule settings or try manually running the search to confirm it works.

 

------

If you find this solution helpful, please consider accepting it and awarding karma points !!

View solution in original post

Reply
Solved! Jump to solution

thanikeshn
Explorer
‎09-23-2024 02:39 AM

Thank you , that worked for me 

0 Karma
Reply
Solved! Jump to solution
Solution

jawahir007
Communicator
‎09-22-2024 06:38 AM

In Splunk, the error message "The search you requested could not be found" typically indicates an issue related to accessing or locating a saved search or search job. Here are some common reasons for this error and possible solutions:

1. Expired Search Jobs

  • Saved search jobs in Splunk have a Time to Live (TTL) value, after which they expire and are deleted.
  • If the job you are trying to access has already expired, Splunk will display this error.
  • Solution: Try rerunning the search or adjusting the TTL of the search job for future cases.

 

jawahir007_0-1727012384284.png

When you open the saved search, you'll find a section called 'Job Settings.' Inside that, there's an option labeled 'lifetime,' which allows you to set the duration to either 10 minutes or 7 days. This might be useful for what you're trying to achieve.

jawahir007_1-1727012441953.png

 

Refer this link for more info :  https://docs.splunk.com/Documentation/Splunk/9.2.1/Search/Extendjoblifetimes

2. Job ID Not Found

  • If you're trying to view a specific search job using its ID (e.g., via the URL or search job history), the job might not exist anymore, or the ID could be incorrect.
  • Solution: Double-check the job ID or re-run the search to generate a new job ID.

3. Permissions or Access Issues

  • The saved search might have been moved, renamed, or deleted, or you may not have the necessary permissions to view it.
  • Solution: Verify that you have the correct permissions to access the saved search and ensure that it still exists.

4. Corrupted Search Job

  • In rare cases, search jobs might become corrupted or incomplete, causing Splunk to fail when trying to load the search results.
  • Solution: If possible, rerun the search to create a fresh job.

5. App Context Change

  • If a saved search was created in a different app context (e.g., in one Splunk app and you're trying to access it from another), Splunk might not be able to find the search.
  • Solution: Switch to the app where the search was created, or ensure the search is shared across apps.

6. Search Scheduling Conflicts

  • If the saved search is scheduled and there was an issue during one of its scheduled runs, Splunk might show this error if it can't retrieve the job.
  • Solution: Review the schedule settings or try manually running the search to confirm it works.

 

------

If you find this solution helpful, please consider accepting it and awarding karma points !!
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...