Can you help me with a Splunk scheduled report?



I have a scheduled report named ABC running every night at 1:00AM. It is owned by user USER for Application XYZ.

What is the search syntax to load this in a search application?

I used:

| loadjob savedsearch="USER:XYZ:ABC"

I am getting an error that says, artifacts not found.

What I would like is to use the results from this report, run some stats and OUTPUT to another CSV to be used for some of the drop down menus I have in my dashboard. My report is very large and drop down menus are taking longer when I run queries using scheduled report as reference.


0 Karma

Re: Can you help me with a Splunk scheduled report?


HI @mbasharat

You do have the correct syntax of
| loadjob savedsearch="USER:XYZ:ABC"

A few things you could do

1) Go to Search, Reports and Alerts; find the saved search and then do View Recent. If there isn't a view recent then the report didn't run.

2) Activity -> Jobs -> Search for the job name

3) If you have access to the _internal index then search for it. Maybe there's some information about the job. For example

index=_internal "ABC"

12-28-2018 17:34:55.337 +0000 INFO  SavedSplunker - savedsearch_id="nobody;search;ABC", search_type="scheduled", user="USER", app="search", savedsearch_name="ABC", priority=default, status=success, digest_mode=1, scheduled_time=1546017600, window_time=0, dispatch_time=1546017600, run_time=894.569, result_count=477, alert_actions="", sid="scheduler__USER__search__RMD5b823e1cbe61b853a_at_1546017600_8337", suppressed=0, thread_id="AlertNotifierWorker-0"

View solution in original post

0 Karma