All Apps and Add-ons
Highlighted

scheduled searches not scheduled anymore in v2.2.2

Explorer

Hi,

the two scheduled searches "Generate pages - scheduled" and "Generate user sessions - scheduled" aren't scheduled in version 2.2.2 anymore. In previose version 2.1.0 they are still scheduled.
Are these scheduled searches no longer needed?

Best regards

0 Karma
Highlighted

Re: scheduled searches not scheduled anymore in v2.2.2

Splunk Employee
Splunk Employee

Hi hpbrand

They are definitely needed. If they are not scheduled in your, environment, enable the search (if it's disabled) or click the schedule button. Do not change the schedule timings (cron) for the search as it is timed with the DM builds.

johan

0 Karma
Highlighted

Re: scheduled searches not scheduled anymore in v2.2.2

Explorer

Hi johan,

thank you for the really fast response.
I think there is something wrong in the default config for this version (2.2.2).
The scheduler portion is missing entirly in the stanzas for these two searches.
Here an extract of the savedsearches.conf.

[Generate pages - scheduled]
alert.digestmode = 1
search = eventtype=pageview \
[| inputlookup WA
settings \
| fields value \
| dedup value \
| rename value AS site] \
| top limit=100 httprequest by site \
| fields site http
request \
| table site httprequest \
| outputlookup WA
pages createinapp=t
alert.track = 0
dispatch.earliest_time = -30d

[Generate user sessions - scheduled]
alert.digestmode = 1
search = | inputlookup WA
sessions \
| appendcols \
[| tstats summariesonly=t max(time) AS _time FROM datamodel=datamodel GROUPBY Web.httpsession \
| sort -time \
| head 1 \
| rename _time AS datamodel
updatetime \
| fields datamodel
updatetime] \
| appendcols \
[| rest /servicesNS/-/-/data/models splunk
server=local search="acceleration=* eai:acl.app=SplunkAppForWebAnalytics" \
| fields acceleration] \
| append \
[ search eventtype=pageview indexearliest=-20m@m indexlatest=now site=* \
| eval time=time \
| eval http
referer = time."".httpreferer \
| eval http
refererdomain = _time."".httprefererdomain \
| eval httprefererhostname = time."".httprefererhostname \
| fields time time httpreferer httprefererdomain httprefererhostname site clientip httpuseragent httprequest \
| transaction site clientip http
useragent maxpause=30m maxspan=4h keepevicted=f \
| eval user=md5(clientip."
".httpuseragent) \
| eval httpsession=md5(clientip."".httpuseragent."".time) \
| stats first(site) as site,first(user) as user, first(time) AS httpsessionstart, last(time) AS httpsessionend,count(httprequest) AS httpsessionpageviews,first(duration) as httpsessionduration,first(httpreferer) as httpsessionreferrer,first(httprefererdomain) as httpsessionreferrerdomain,first(httprefererhostname) as httpsessionreferrerhostname by time,httpsession \
| search user=* \
| eval httpsessionreferrer=replace(httpsessionreferrer,"^[0-9.]","") \
| eval http
sessionreferrerdomain=if(httpsessionreferrer="-","-",replace(httpsessionreferrer_domain,"^[0-9.]
","")) \
| eval http
sessionreferrerhostname=if(httpsessionreferrer="-","-",replace(httpsessionreferrerhostname,"^[0-9.]*","")) \
| dedup httpsession \
| lookup WA
channels Hostname AS httpsessionreferrerhostname OUTPUT Channel AS httpsessionchannel \
| eval http
sessionchannel=if(httpsessionreferrer="-","Direct", if(like(site,"%".httpsessionreferrerdomain),"Direct", if(isnull(httpsessionchannel) AND isnotnull(httpsession), "Referal", httpsessionchannel))) ] \
| dedup http
session \
| filldown datamodelupdatetime acceleration \
| where \
(time>=datamodelupdatetime AND acceleration=1)\
OR\
(acceleration=1 AND isnull(datamodel
updatetime))\
OR\
((
time>relativetime(now(), "-1d@d")) AND (acceleration=0 OR acceleration='' OR isnull(acceleration))) \
| reverse \
| streamstats count \
| where count <1000000 \
| table acceleration,datamodel
updatetime,count,time,site,user,httpsession,httpsessionstart,httpsessionend,httpsessionpageviews,httpsessionduration,httpsessionreferrer,httpsessionreferrerdomain,httpsessionreferrerhostname httpsessionchannel \
| outputlookup WA
sessions createinapp=t

Shall I copy and use portions of the savedsearches.config from an older release (v2.1.0) as a workaround?

View solution in original post

0 Karma
Highlighted

Re: scheduled searches not scheduled anymore in v2.2.2

Splunk Employee
Splunk Employee

You are right! In the latest release the schedule is gone. How strange. I will release a new update to correct that.

In the meantime. This is the scheduling you need to add back, I omitted the search part so add that in:

[Generate pages - scheduled]
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
dispatch.earliest_time = -7d@d
dispatch.latest_time = now
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 0 * * *
enableSched = 1
alert.digest_mode = 1
search = THESEARCHGOESHERE

[Generate user sessions - scheduled]
alert.digest_mode = 1
action.email.reportServerEnabled = 0
action.email.useNSSubject = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = */10 * * * *
dispatch.earliest_time = 1
dispatch.latest_time = now
display.events.fields = ["host","source","sourcetype","http_locale","http_method","http_os","http_os_version","http_referer","http_request","http_user_agent","aaaa","http_user_agent","http_session","channel","http_referer_domain","http_referer_hostname","http_channel","settings_site"]
display.general.type = statistics
display.page.search.mode = verbose
display.page.search.tab = statistics
display.visualizations.charting.chart = bar
display.visualizations.show = 0
display.visualizations.type = mapping
enableSched = 1
request.ui_dispatch_app = SplunkAppForWebAnalytics
request.ui_dispatch_view = search
disabled = 0
search = THESEARCHGOESHERE
0 Karma