-----
-----
------
| fields totalrec, mydate
| search index=_internal savedsearch_name="anothersavedsearch" status="success"
| stats max(_time) as lastrun
| eval lastsearchdate = if(totalrec>0,strftime(lastrun,"%Y-%m-%d"),mydate)
| table lastsearchdate
My requirement is, if the totalrec is greater than zero, then save lastsearchdate as saved search's last successful runtime, else store mydate to lastsearchdate.
But i am getting no records when i run this saved search. Please help.
Modify the 7th line
Eval lastsearcheddate=(strftime(lastrun,format),mydate) | where totalrec>0
It will work
This part is not correct strftime(lastrun,format),mydate)
so it didnt work.
eval lastsearcheddate = strftime( strptime( lastrun, "%Y-%m-%d" ), mydate)
Could you please try this command
Hi,
you can find out last run of search with below query:
index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" savedsearch_name=<scheduled-search-name> | eval lastRun=_time |
Thank you, but this query doesnt satisfy my requirement with respect to totalrec which i have got from previous lines in the same query.
Can you try using subsearch for getting lastrun.
I tried already, but really not sure how to do it and i wasn't success
Fixed the issue with subsearch, Thank you.