Archive
Highlighted

Problem with scheduled reports

Explorer

I have several reports scheduled to run at the same time with a window set to 5 minutes.
When the time they were scheduled to passes and I type the following command into the search window to check the status of these reports, it turns out almost none of them did run:

index=_internal source=scheduler.log | eval sched = strftime(scheduledtime, "%Y-%m-%d %H:%M:%S") |search sched="2016-09-23 10:15:00"| table sched status savedsearchname*

I also see sosrefreshsplunkserverscache under savedsearch_name a lot of times.
What is it, and how can I make these reports run as scheduled?
Thank you

0 Karma
Highlighted

Re: Problem with scheduled reports

Champion

on inputs.conf, what info you have for [search] stanza.

can you run this for last 24hrs (or last 7 days) and check how many activehistsearches and activerealtimesearches are there..

 index=_internal sourcetype=splunkd source=*metrics.log group=search_concurrency "system total" | table active_hist_searches active_realtime_searches
0 Karma
Highlighted

Re: Problem with scheduled reports

Explorer

I'm using Web Splunk and I don't know how to open the inputs.conf file unfortunately.
As for the search you provieded. I ran it for the past 7 days and got over 190k rows of results. Would you like me to give you the sums of activehists and activerealtime fields?

0 Karma