- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: scheduled searches not scheduled anymore in v2...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
the two scheduled searches "Generate pages - scheduled" and "Generate user sessions - scheduled" aren't scheduled in version 2.2.2 anymore. In previose version 2.1.0 they are still scheduled.
Are these scheduled searches no longer needed?
Best regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi johan,
thank you for the really fast response.
I think there is something wrong in the default config for this version (2.2.2).
The scheduler portion is missing entirly in the stanzas for these two searches.
Here an extract of the savedsearches.conf.
[Generate pages - scheduled]
alert.digest_mode = 1
search = eventtype=pageview \
[| inputlookup WA_settings \
| fields value \
| dedup value \
| rename value AS site] \
| top limit=100 http_request by site \
| fields site http_request \
| table site http_request \
| outputlookup WA_pages createinapp=t
alert.track = 0
dispatch.earliest_time = -30d
[Generate user sessions - scheduled]
alert.digest_mode = 1
search = | inputlookup WA_sessions \
| appendcols \
[| tstats summariesonly=t max(time) AS _time FROM datamodel=datamodel GROUPBY Web.http_session \
| sort -_time \
| head 1 \
| rename _time AS datamodel_update_time \
| fields datamodel_update_time] \
| appendcols \
[| rest /servicesNS/-/-/data/models splunk_server=local search="acceleration=* eai:acl.app=SplunkAppForWebAnalytics" \
| fields acceleration] \
| append \
[ search eventtype=pageview _index_earliest=-20m@m _index_latest=now site=* \
| eval time=_time \
| eval http_referer = _time."".http_referer \
| eval http_referer_domain = time."".http_referer_domain \
| eval http_referer_hostname = time."".http_referer_hostname \
| fields time time http_referer http_referer_domain http_referer_hostname site clientip http_user_agent http_request \
| transaction site clientip http_user_agent maxpause=30m maxspan=4h keepevicted=f \
| eval user=md5(clientip."".http_user_agent) \
| eval http_session=md5(clientip."".http_user_agent."".time) \
| stats first(site) as site,first(user) as user, first(time) AS http_session_start, last(time) AS http_session_end,count(http_request) AS http_session_pageviews,first(duration) as http_session_duration,first(http_referer) as http_session_referrer,first(http_referer_domain) as http_session_referrer_domain,first(http_referer_hostname) as http_session_referrer_hostname by _time,http_session \
| search user=* \
| eval http_session_referrer=replace(http_session_referrer,"^[0-9.]*","") \
| eval http_session_referrer_domain=if(http_session_referrer="-","-",replace(http_session_referrer_domain,"^[0-9.]_","")) \
| eval http_session_referrer_hostname=if(http_session_referrer="-","-",replace(http_session_referrer_hostname,"^[0-9.]_","")) \
| dedup http_session \
| lookup WA_channels Hostname AS http_session_referrer_hostname OUTPUT Channel AS http_session_channel \
| eval http_session_channel=if(http_session_referrer="-","Direct", if(like(site,"%".http_session_referrer_domain),"Direct", if(isnull(http_session_channel) AND isnotnull(http_session), "Referal", http_session_channel))) ] \
| dedup http_session \
| filldown datamodel_update_time acceleration \
| where \
(_time>=datamodel_update_time AND acceleration=1)\
OR\
(acceleration=1 AND isnull(datamodel_update_time))\
OR\
((_time>relative_time(now(), "-1d@d")) AND (acceleration=0 OR acceleration='' OR isnull(acceleration))) \
| reverse \
| streamstats count \
| where count <1000000 \
| table acceleration,datamodel_update_time,count,_time,site,user,http_session,http_session_start,http_session_end,http_session_pageviews,http_session_duration,http_session_referrer,http_session_referrer_domain,http_session_referrer_hostname http_session_channel \
| outputlookup WA_sessions createinapp=t
Shall I copy and use portions of the savedsearches.config from an older release (v2.1.0) as a workaround?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi johan,
thank you for the really fast response.
I think there is something wrong in the default config for this version (2.2.2).
The scheduler portion is missing entirly in the stanzas for these two searches.
Here an extract of the savedsearches.conf.
[Generate pages - scheduled]
alert.digest_mode = 1
search = eventtype=pageview \
[| inputlookup WA_settings \
| fields value \
| dedup value \
| rename value AS site] \
| top limit=100 http_request by site \
| fields site http_request \
| table site http_request \
| outputlookup WA_pages createinapp=t
alert.track = 0
dispatch.earliest_time = -30d
[Generate user sessions - scheduled]
alert.digest_mode = 1
search = | inputlookup WA_sessions \
| appendcols \
[| tstats summariesonly=t max(time) AS _time FROM datamodel=datamodel GROUPBY Web.http_session \
| sort -_time \
| head 1 \
| rename _time AS datamodel_update_time \
| fields datamodel_update_time] \
| appendcols \
[| rest /servicesNS/-/-/data/models splunk_server=local search="acceleration=* eai:acl.app=SplunkAppForWebAnalytics" \
| fields acceleration] \
| append \
[ search eventtype=pageview _index_earliest=-20m@m _index_latest=now site=* \
| eval time=_time \
| eval http_referer = _time."".http_referer \
| eval http_referer_domain = time."".http_referer_domain \
| eval http_referer_hostname = time."".http_referer_hostname \
| fields time time http_referer http_referer_domain http_referer_hostname site clientip http_user_agent http_request \
| transaction site clientip http_user_agent maxpause=30m maxspan=4h keepevicted=f \
| eval user=md5(clientip."".http_user_agent) \
| eval http_session=md5(clientip."".http_user_agent."".time) \
| stats first(site) as site,first(user) as user, first(time) AS http_session_start, last(time) AS http_session_end,count(http_request) AS http_session_pageviews,first(duration) as http_session_duration,first(http_referer) as http_session_referrer,first(http_referer_domain) as http_session_referrer_domain,first(http_referer_hostname) as http_session_referrer_hostname by _time,http_session \
| search user=* \
| eval http_session_referrer=replace(http_session_referrer,"^[0-9.]*","") \
| eval http_session_referrer_domain=if(http_session_referrer="-","-",replace(http_session_referrer_domain,"^[0-9.]_","")) \
| eval http_session_referrer_hostname=if(http_session_referrer="-","-",replace(http_session_referrer_hostname,"^[0-9.]_","")) \
| dedup http_session \
| lookup WA_channels Hostname AS http_session_referrer_hostname OUTPUT Channel AS http_session_channel \
| eval http_session_channel=if(http_session_referrer="-","Direct", if(like(site,"%".http_session_referrer_domain),"Direct", if(isnull(http_session_channel) AND isnotnull(http_session), "Referal", http_session_channel))) ] \
| dedup http_session \
| filldown datamodel_update_time acceleration \
| where \
(_time>=datamodel_update_time AND acceleration=1)\
OR\
(acceleration=1 AND isnull(datamodel_update_time))\
OR\
((_time>relative_time(now(), "-1d@d")) AND (acceleration=0 OR acceleration='' OR isnull(acceleration))) \
| reverse \
| streamstats count \
| where count <1000000 \
| table acceleration,datamodel_update_time,count,_time,site,user,http_session,http_session_start,http_session_end,http_session_pageviews,http_session_duration,http_session_referrer,http_session_referrer_domain,http_session_referrer_hostname http_session_channel \
| outputlookup WA_sessions createinapp=t
Shall I copy and use portions of the savedsearches.config from an older release (v2.1.0) as a workaround?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are right! In the latest release the schedule is gone. How strange. I will release a new update to correct that.
In the meantime. This is the scheduling you need to add back, I omitted the search part so add that in:
[Generate pages - scheduled]
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -7d@d
dispatch.latest_time = now
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 0 * * *
enableSched = 1
alert.digest_mode = 1
search = THESEARCHGOESHERE
[Generate user sessions - scheduled]
alert.digest_mode = 1
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = */10 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","http_locale","http_method","http_os","http_os_version","http_referer","http_request","http_user_agent","aaaa","http_user_agent","http_session","channel","http_referer_domain","http_referer_hostname","http_channel","settings_site"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
display.visualizations.type = mapping
enableSched = 1
request.ui_dispatch_app = SplunkAppForWebAnalytics
request.ui_dispatch_view = search
disabled = 0
search = THESEARCHGOESHERE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi hpbrand
They are definitely needed. If they are not scheduled in your, environment, enable the search (if it's disabled) or click the schedule button. Do not change the schedule timings (cron) for the search as it is timed with the DM builds.
johan
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
