All Apps and Add-ons

Enabled 30 minute search won't run/populate data every 30 minutes

lbnsam
New Member

Hi there, I have gone through the installation instructions of the Meta Woot! app, however the selected search won't run.

I tested the search itself, which works just fine when run manually. The data populates when the search is run manually as well.

Any ideas why it wouldn't run on the chosen schedule? I have not tried the other tie intervals yet.

0 Karma
1 Solution

mockd
Path Finder

Hi,

A couple things to check:
- Does the job inspector show the job as having run with just zero results? Or does it show any errors?
- Have you confirmed that the scheduled search isn't being skipped?
- The searches are owned by the "admin" user when installed. Was there any changes to the ownership and/or does your admin account exist and have the correct access to the data?

Thanks!

View solution in original post

0 Karma

lbnsam
New Member

Turns out that the search was being skipped. Still investigating but the search itself was assigned to a role rather than a user and thus it was considered "Orphaned". I still don't understand why the search wouldn't run as the admin role, so I still have quite a bit to learn.

0 Karma

mockd
Path Finder

The owner of a KO/search etc needs to be a user, it can't be assigned to a role. So if you didn't actually have an "admin" user, then it would be considered orphaned and not scheduled.

0 Karma

mockd
Path Finder

Hi,

That is a bit odd. The schedule for the 30min search should be */30 * * * *.

You should be able to update it, but you might want to check if it was modified after the app was installed. You should be able to look in the meta woot app directory and see if there is a local savedsearches.conf file that would overwrite the settings from the default version.

0 Karma

mockd
Path Finder

Hi,

A couple things to check:
- Does the job inspector show the job as having run with just zero results? Or does it show any errors?
- Have you confirmed that the scheduled search isn't being skipped?
- The searches are owned by the "admin" user when installed. Was there any changes to the ownership and/or does your admin account exist and have the correct access to the data?

Thanks!

0 Karma

lbnsam
New Member

I'm still not certain as to why it was being skipped, investigating now. I disabled all accelerated searches to try to see if that will help.

0 Karma

mockd
Path Finder

From what you posted, the cron schedule for the 30min search was incorrect. Did you validate if it had been changed? (ie, a local version).

0 Karma

lbnsam
New Member

I actually switched to the 15 minute one as I was certain that it was unchanged. It also agreed with the format you provided as additional assurance.

The knowledge object was considered "Orphaned", so I reassigned it to run as Administrator, and it seems to be working fine. In fact, I just checked and it updated the Next Scheduled Time field.

It is really very strange, I installed the app as the Administrator, the searches were owned by "admin" (which I believe is the role and not any user) but it was still considered "Orphaned".

I will keep an eye on it and update this thread if it doesn't work anymore, but it seems to be working.

Is there a problem running this as Administrator? I feel like it would be best practice to change assign the KO to a different user, one with more limited permissions.

0 Karma

mockd
Path Finder

Ok, that would explain it. The searches and KO's should be owned by an account with appropriate permissions/capabilities to view the data in your Splunk deployment. This is normally the "admin" user which is what is configured by default. So if you are using a different account than "admin" then they should be updated.

Glad to hear it's working!

0 Karma

lbnsam
New Member

I find it strange that the admin user does not have the permissions to run this search...

If this is configured by default, why was the search considered to be orphaned?

0 Karma

lbnsam
New Member

Sorry, made a mistake when I made this question: It is actually a scheduled report that runs according to the cron job using this schedule: */30 * * * *

  1. How do you check the job inspector for a scheduled report? When I run the report manually, all the data populates just fine, including in the required dashboards. The job inspector looks fine in this case.
  2. How do you check if it is being skipped?
  3. There was no change to the admin permissions/ownership, the admin does have the required accesses

Thanks for the response!

0 Karma

lbnsam
New Member

Just tried a different report option (every 15 minutes), it seems that there is a bug with the scheduling. When I enabled the other report, the field "Next Scheduled Time" populated with data.

This wasn't true for the original report I enabled.

Any ideas as to why this may not have happened for the other report?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...