All Apps and Add-ons

scheduled searches not scheduled anymore in v2.2.2

hpbrand
Explorer

Hi,

the two scheduled searches "Generate pages - scheduled" and "Generate user sessions - scheduled" aren't scheduled in version 2.2.2 anymore. In previose version 2.1.0 they are still scheduled.
Are these scheduled searches no longer needed?

Best regards

0 Karma
1 Solution

hpbrand
Explorer

Hi johan,

thank you for the really fast response.
I think there is something wrong in the default config for this version (2.2.2).
The scheduler portion is missing entirly in the stanzas for these two searches.
Here an extract of the savedsearches.conf.

[Generate pages - scheduled]
alert.digest_mode = 1
search = eventtype=pageview \
[| inputlookup WA_settings \
| fields value \
| dedup value \
| rename value AS site] \
| top limit=100 http_request by site \
| fields site http_request \
| table site http_request \
| outputlookup WA_pages createinapp=t
alert.track = 0
dispatch.earliest_time = -30d

[Generate user sessions - scheduled]
alert.digest_mode = 1
search = | inputlookup WA_sessions \
| appendcols \
[| tstats summariesonly=t max(time) AS _time FROM datamodel=datamodel GROUPBY Web.http_session \
| sort -_time \
| head 1 \
| rename _time AS datamodel_update_time \
| fields datamodel_update_time] \
| appendcols \
[| rest /servicesNS/-/-/data/models splunk_server=local search="acceleration=* eai:acl.app=SplunkAppForWebAnalytics" \
| fields acceleration] \
| append \
[ search eventtype=pageview _index_earliest=-20m@m _index_latest=now site=* \
| eval time=_time \
| eval http_referer = _time."
".http_referer \
| eval http_referer_domain = time."".http_referer_domain \
| eval http_referer_hostname = time."".http_referer_hostname \
| fields time time http_referer http_referer_domain http_referer_hostname site clientip http_user_agent http_request \
| transaction site clientip http_user_agent maxpause=30m maxspan=4h keepevicted=f \
| eval user=md5(clientip."
".http_user_agent) \
| eval http_session=md5(clientip."".http_user_agent."".time) \
| stats first(site) as site,first(user) as user, first(time) AS http_session_start, last(time) AS http_session_end,count(http_request) AS http_session_pageviews,first(duration) as http_session_duration,first(http_referer) as http_session_referrer,first(http_referer_domain) as http_session_referrer_domain,first(http_referer_hostname) as http_session_referrer_hostname by _time,http_session \
| search user=* \
| eval http_session_referrer=replace(http_session_referrer,"^[0-9.]*
","") \
| eval http_session_referrer_domain=if(http_session_referrer="-","-",replace(http_session_referrer_domain,"^[0-9.]_","")) \
| eval http_session_referrer_hostname=if(http_session_referrer="-","-",replace(http_session_referrer_hostname,"^[0-9.]
_","")) \
| dedup http_session \
| lookup WA_channels Hostname AS http_session_referrer_hostname OUTPUT Channel AS http_session_channel \
| eval http_session_channel=if(http_session_referrer="-","Direct", if(like(site,"%".http_session_referrer_domain),"Direct", if(isnull(http_session_channel) AND isnotnull(http_session), "Referal", http_session_channel))) ] \
| dedup http_session \
| filldown datamodel_update_time acceleration \
| where \
(_time>=datamodel_update_time AND acceleration=1)\
OR\
(acceleration=1 AND isnull(datamodel_update_time))\
OR\
((_time>relative_time(now(), "-1d@d")) AND (acceleration=0 OR acceleration='' OR isnull(acceleration))) \
| reverse \
| streamstats count \
| where count <1000000 \
| table acceleration,datamodel_update_time,count,_time,site,user,http_session,http_session_start,http_session_end,http_session_pageviews,http_session_duration,http_session_referrer,http_session_referrer_domain,http_session_referrer_hostname http_session_channel \
| outputlookup WA_sessions createinapp=t

Shall I copy and use portions of the savedsearches.config from an older release (v2.1.0) as a workaround?

View solution in original post

0 Karma

hpbrand
Explorer

Hi johan,

thank you for the really fast response.
I think there is something wrong in the default config for this version (2.2.2).
The scheduler portion is missing entirly in the stanzas for these two searches.
Here an extract of the savedsearches.conf.

[Generate pages - scheduled]
alert.digest_mode = 1
search = eventtype=pageview \
[| inputlookup WA_settings \
| fields value \
| dedup value \
| rename value AS site] \
| top limit=100 http_request by site \
| fields site http_request \
| table site http_request \
| outputlookup WA_pages createinapp=t
alert.track = 0
dispatch.earliest_time = -30d

[Generate user sessions - scheduled]
alert.digest_mode = 1
search = | inputlookup WA_sessions \
| appendcols \
[| tstats summariesonly=t max(time) AS _time FROM datamodel=datamodel GROUPBY Web.http_session \
| sort -_time \
| head 1 \
| rename _time AS datamodel_update_time \
| fields datamodel_update_time] \
| appendcols \
[| rest /servicesNS/-/-/data/models splunk_server=local search="acceleration=* eai:acl.app=SplunkAppForWebAnalytics" \
| fields acceleration] \
| append \
[ search eventtype=pageview _index_earliest=-20m@m _index_latest=now site=* \
| eval time=_time \
| eval http_referer = _time."
".http_referer \
| eval http_referer_domain = time."".http_referer_domain \
| eval http_referer_hostname = time."".http_referer_hostname \
| fields time time http_referer http_referer_domain http_referer_hostname site clientip http_user_agent http_request \
| transaction site clientip http_user_agent maxpause=30m maxspan=4h keepevicted=f \
| eval user=md5(clientip."
".http_user_agent) \
| eval http_session=md5(clientip."".http_user_agent."".time) \
| stats first(site) as site,first(user) as user, first(time) AS http_session_start, last(time) AS http_session_end,count(http_request) AS http_session_pageviews,first(duration) as http_session_duration,first(http_referer) as http_session_referrer,first(http_referer_domain) as http_session_referrer_domain,first(http_referer_hostname) as http_session_referrer_hostname by _time,http_session \
| search user=* \
| eval http_session_referrer=replace(http_session_referrer,"^[0-9.]*
","") \
| eval http_session_referrer_domain=if(http_session_referrer="-","-",replace(http_session_referrer_domain,"^[0-9.]_","")) \
| eval http_session_referrer_hostname=if(http_session_referrer="-","-",replace(http_session_referrer_hostname,"^[0-9.]
_","")) \
| dedup http_session \
| lookup WA_channels Hostname AS http_session_referrer_hostname OUTPUT Channel AS http_session_channel \
| eval http_session_channel=if(http_session_referrer="-","Direct", if(like(site,"%".http_session_referrer_domain),"Direct", if(isnull(http_session_channel) AND isnotnull(http_session), "Referal", http_session_channel))) ] \
| dedup http_session \
| filldown datamodel_update_time acceleration \
| where \
(_time>=datamodel_update_time AND acceleration=1)\
OR\
(acceleration=1 AND isnull(datamodel_update_time))\
OR\
((_time>relative_time(now(), "-1d@d")) AND (acceleration=0 OR acceleration='' OR isnull(acceleration))) \
| reverse \
| streamstats count \
| where count <1000000 \
| table acceleration,datamodel_update_time,count,_time,site,user,http_session,http_session_start,http_session_end,http_session_pageviews,http_session_duration,http_session_referrer,http_session_referrer_domain,http_session_referrer_hostname http_session_channel \
| outputlookup WA_sessions createinapp=t

Shall I copy and use portions of the savedsearches.config from an older release (v2.1.0) as a workaround?

0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

You are right! In the latest release the schedule is gone. How strange. I will release a new update to correct that.

In the meantime. This is the scheduling you need to add back, I omitted the search part so add that in:

[Generate pages - scheduled]
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -7d@d
dispatch.latest_time = now
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 0 * * *
enableSched = 1
alert.digest_mode = 1
search = THESEARCHGOESHERE

[Generate user sessions - scheduled]
alert.digest_mode = 1
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = */10 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","http_locale","http_method","http_os","http_os_version","http_referer","http_request","http_user_agent","aaaa","http_user_agent","http_session","channel","http_referer_domain","http_referer_hostname","http_channel","settings_site"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
display.visualizations.type = mapping
enableSched = 1
request.ui_dispatch_app = SplunkAppForWebAnalytics
request.ui_dispatch_view = search
disabled = 0
search = THESEARCHGOESHERE
0 Karma

jbjerke_splunk
Splunk Employee
Splunk Employee

Hi hpbrand

They are definitely needed. If they are not scheduled in your, environment, enable the search (if it's disabled) or click the schedule button. Do not change the schedule timings (cron) for the search as it is timed with the DM builds.

johan

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...