Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- How to get saved search's last successful run time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get saved search's last successful run time
-----
-----
------
| fields totalrec, mydate
| search index=_internal savedsearch_name="anothersavedsearch" status="success"
| stats max(_time) as lastrun
| eval lastsearchdate = if(totalrec>0,strftime(lastrun,"%Y-%m-%d"),mydate)
| table lastsearchdate
My requirement is, if the totalrec is greater than zero, then save lastsearchdate as saved search's last successful runtime, else store mydate to lastsearchdate.
But i am getting no records when i run this saved search. Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Modify the 7th line
Eval lastsearcheddate=(strftime(lastrun,format),mydate) | where totalrec>0
It will work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This part is not correct strftime(lastrun,format),mydate)
so it didnt work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eval lastsearcheddate = strftime( strptime( lastrun, "%Y-%m-%d" ), mydate)
Could you please try this command
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
you can find out last run of search with below query:
index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" savedsearch_name=<scheduled-search-name> | eval lastRun=_time |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, but this query doesnt satisfy my requirement with respect to totalrec which i have got from previous lines in the same query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try using subsearch for getting lastrun.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried already, but really not sure how to do it and i wasn't success
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed the issue with subsearch, Thank you.
Thanks for the Memories! Splunk University, .conf25, and our Community
Data Persistence in the OpenTelemetry Collector
Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever
