Problem with scheduled reports

wsadowy1 · ‎09-23-2016

I have several reports scheduled to run at the same time with a window set to 5 minutes.
When the time they were scheduled to passes and I type the following command into the search window to check the status of these reports, it turns out almost none of them did run:

index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") |search sched="2016-09-23 10:15:00"| table sched status savedsearch_name

I also see sos_refresh_splunk_servers_cache under savedsearch_name a lot of times.
What is it, and how can I make these reports run as scheduled?
Thank you

inventsekar · ‎09-23-2016

on inputs.conf, what info you have for [search] stanza.

can you run this for last 24hrs (or last 7 days) and check how many active_hist_searches and active_realtime_searches are there..

 index=_internal sourcetype=splunkd source=*metrics.log group=search_concurrency "system total" | table active_hist_searches active_realtime_searches

wsadowy1 · ‎09-23-2016

I'm using Web Splunk and I don't know how to open the inputs.conf file unfortunately.
As for the search you provieded. I ran it for the past 7 days and got over 190k rows of results. Would you like me to give you the sums of active_hists and active_realtime fields?

Problem with scheduled reports

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today