Reporting

How come my scheduled report is sending emails with no results when manual search shows data?

Earenhart
Path Finder

Hello,

I have a report that is run daily going back 24 hours. That report was reporting results just fine up until a few days ago, and nothing about the report has changed, yet now the results in the email are blank even though running the search manually returns results. What could possibly cause this type of behavior? I have checked the schedule settings, permissions, the search itself, none of it is any different than what I originally saved. Other saved reports and alerts are running just fine.

Are there any sort of backend changes to splunk that have been known to cause this type of behavior? Perhaps changes in the environment?

There was a post about this same issue in 2015 titled "Scheduled report shows "No results found" but manual report sees data", which was never answered.

0 Karma

somesoni2
Revered Legend

Check if the data that the scheduled report is looking for, was searchable at the time the report was run. By running something like this

your base search | eval _time=_indextime

Here we're changing the event timestamp to the time when it got indexed, to confirm that the search had all the data available to it when it ran.

0 Karma

Earenhart
Path Finder

I was able to simply delete and resave the report, and it appears to be working properly now. I still would like to understand why this happens if anyone knows. Having a report/alert randomly break for reasons unknown is definitely unacceptable.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...