Solved: Re: Saved (scheduled) searches with no results: En...

RiccardoV · ‎08-30-2013

Hi guys,
I have an issue with a saved (and scheduled) search with no result.
If I schedule a search that returns no results and I try to get it with the command

| laodjob savedsearch="admin:app:label"

Splunk returns following error:

Encountered an error while reading file '$splunk_home$/var/run/splunk/dispatch/ .... /results.csv.gz'.

If I try to change the time window where the search works (to "force" it to find some results), it works great.

How can I be sure that Splunk creates the .cvs.gz file in any case even if the search does find no results? I can not dispatch a dashboard that returns a bad error like this!

thanks 🙂

Lucas_K · ‎09-15-2013

Add an extra line to the end of your scheduled search then 'something' will always be written regardless of the number of results obtained.

| append [|stats count |eval count="complete"| rename count as "info_search_marker" ]

You'll then need to just get rid of this line when you retrieve the results later.

| fields - info_search_marker

View solution in original post

chanst2 · ‎07-15-2014

Please try to add "events=true" as an argument of the loadjob command. Splunk will not return such error even when no events returned for the savedsearch

chanst2 · ‎07-16-2014

I just tried to upload my screen shot, but too bad that my karma is <60 so that I couldn't upload.

When I issued this search command in the Splunk search bar
|loadjob events=true savedSearch="admin:xxx:yyy", I got "No results found." as a normal search without any events returned. However, when I issued |loadjob savedSearch="admin:xxx:yyy", I got "Encountered an error while reading file '/aaa/var/run/splunk/dispatch/scheduler__admin_bbb_at_1405558800_3192/results.csv.gz'."

In my case, this "events=true" works in both the search view and a dashboard panel

musskopf · ‎07-16-2014

Just tried now and it didn't work. Created a saved search with no results, still showing:

Encountered an error while reading file '/xxxx/splunk/dispatch/scheduler_admin_dxxxxjcmVlbg_RMD5edaa75325ad60f36_at_140999940_5127/results.csv.gz'.

RiccardoV · ‎07-16-2014

thanks, I'll try asap!

Lucas_K · ‎09-15-2013

Add an extra line to the end of your scheduled search then 'something' will always be written regardless of the number of results obtained.

| append [|stats count |eval count="complete"| rename count as "info_search_marker" ]

You'll then need to just get rid of this line when you retrieve the results later.

| fields - info_search_marker

musskopf · ‎07-06-2014

I was having similar issue here, Splunk doesn't create the result file, if nothing is returned... It's a shame as only adds coding overhead on something should be straight-forward. Anyway, thanks for the tip!

RiccardoV · ‎09-16-2013

thanks A LOT! It works like a charm!
Then, you confirm that is a known issue that Splunk doesn't create a results.csv.gz file if the scheduled search returns no results?
thanks again!

Saved (scheduled) searches with no results: Encountered an error while reading file results.csv.gz

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms