Can anyone help me identify auto-finalized or trun...

Task1906 · ‎11-20-2019

I am having trouble crafting a search to identify auto-finalized or truncated searches.

This is the search I am using currently.

index="_internal" status="skipped" search_type="scheduled"
| eval Scheduled=strftime(scheduled_time, "%Y-%m-%d %H:%M:%S")
| stats values(Scheduled) as Scheduled
    values(status) as Status
    values(user) as User
    values(savedsearch_id) as Savedsearch_id
    values(savedsearch_name) as Savedsearch_name
    values(reason) as Reason
    by _time,savedsearch_name
| sort - Scheduled
| table Scheduled Status User Savedsearch_id Savedsearch_name Reason

to4kawa · ‎11-26-2019

 index="_internal" status="skipped" search_type="scheduled"
 | eval Scheduled=strftime(scheduled_time, "%Y-%m-%d %H:%M:%S")
 | stats values(Scheduled) as Scheduled
     values(status) as Status
     values(user) as User
     values(savedsearch_id) as Savedsearch_id
     values(savedsearch_name) as Savedsearch_name
     values(reason) as Reason
     by _time,savedsearch_name
 | sort 0 - Scheduled
 | table Scheduled Status User Savedsearch_id Savedsearch_name Reason

Hi, Removed restriction by sort 0 - Scheduled 　

Can anyone help me identify auto-finalized or truncated searches/alerts?

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?

Can anyone help me identify auto-finalized or truncated searches/alerts?

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever