I have non Admin users with dashboards. The base search uses a loadjob of a job that is scheduled each day to look at a day's worth of events. Other searches in the dashboard use the loadjob command. This all works well.
The scheduled job takes a long time to run and sometimes the scheduled job fails. We change the job TTL to keep the results for 3 days to keep the results.
The user wants to see the date that the scheduled job loadjob command is using. The user isn't an admin so does NOT have access to the _audit index. Is there any way for a non admin to display the job date of the latest saved search to display in a dashboard? The user wants to know which day the job results are for.
FYI
if they did they could do something like
index=_audit savedsearch_name="MySearch" info=completed result_count>0
| eval job_start_time=strftime(exec_time,"%Y-%m-%d %H:%M:%S")
Your user may be able to get the data from a rest call, especially in a dashboard if they can already see the job results.
Just use the format below as a search.
| rest splunk_server=local /servicesNS/admin/search/saved/searches/{search name url encoded}/history
This should provide them with all the details, you'll want to look at the Published time field, and of course look for the most recent job to completed. isDone versus isFinalized
You can derive the runtime of any SID from the details of the SID's name. For example, I had a scheduled search
with a SID of scheduler__nobody__AntiHack__RMD51be464d6e9cd1a2a_at_1576394280_17
. In this case, the next-to-last segment of 1576394280
is the time that the search was run, which translates to 2019-12-15 01:18:00
.
Thanks @woodcock so what would the search be for a non admin to get that sid with Unix date?
Add | addinfo | rename info_sid AS _SID | fields - info_*
to every search. Then you can just do |savedsearch ... | rename _SID AS SID
and go from there.
Thanks. I was looking for a solution that didn't involve updating each savedsearch. This is a technique I will test.
Your user may be able to get the data from a rest call, especially in a dashboard if they can already see the job results.
Just use the format below as a search.
| rest splunk_server=local /servicesNS/admin/search/saved/searches/{search name url encoded}/history
This should provide them with all the details, you'll want to look at the Published time field, and of course look for the most recent job to completed. isDone versus isFinalized
Thanks! I modified this search to avoid the error about not being able to access the REST call per https://answers.splunk.com/answers/712773/error-on-overview-pane-failed-to-fetch-rest-endpoi.html
| rest splunk_server=local /services/saved/searches/mysearch/history
| search isDone=1
| stats max(published) as search_date
| eval search_date=strftime(strptime(search_date,"%Y-%m-%dT%H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| rename search_date AS "Search Date"
| table "Search Date"
This works.
@aromanauskas BTW if you convert to answer I can accept this answer. Thanks.