Reporting

Saved (scheduled) searches with no results: Encountered an error while reading file results.csv.gz

RiccardoV
Communicator

Hi guys,
I have an issue with a saved (and scheduled) search with no result.
If I schedule a search that returns no results and I try to get it with the command

| laodjob savedsearch="admin:app:label"

Splunk returns following error:

Encountered an error while reading file '$splunk_home$/var/run/splunk/dispatch/ .... /results.csv.gz'.

If I try to change the time window where the search works (to "force" it to find some results), it works great.

How can I be sure that Splunk creates the .cvs.gz file in any case even if the search does find no results? I can not dispatch a dashboard that returns a bad error like this!

thanks 🙂

Tags (2)
1 Solution

Lucas_K
Motivator

Add an extra line to the end of your scheduled search then 'something' will always be written regardless of the number of results obtained.

| append [|stats count |eval count="complete"| rename count as "info_search_marker" ]

You'll then need to just get rid of this line when you retrieve the results later.

| fields - info_search_marker

View solution in original post

chanst2
Path Finder

Please try to add "events=true" as an argument of the loadjob command. Splunk will not return such error even when no events returned for the savedsearch

0 Karma

chanst2
Path Finder

I just tried to upload my screen shot, but too bad that my karma is <60 so that I couldn't upload.

When I issued this search command in the Splunk search bar
|loadjob events=true savedSearch="admin:xxx:yyy", I got "No results found." as a normal search without any events returned. However, when I issued |loadjob savedSearch="admin:xxx:yyy", I got "Encountered an error while reading file '/aaa/var/run/splunk/dispatch/scheduler__admin_bbb_at_1405558800_3192/results.csv.gz'."

In my case, this "events=true" works in both the search view and a dashboard panel

0 Karma

musskopf
Builder

Just tried now and it didn't work. Created a saved search with no results, still showing:

Encountered an error while reading file '/xxxx/splunk/dispatch/scheduler_admin_dxxxxjcmVlbg_RMD5edaa75325ad60f36_at_140999940_5127/results.csv.gz'.

0 Karma

RiccardoV
Communicator

thanks, I'll try asap!

0 Karma

Lucas_K
Motivator

Add an extra line to the end of your scheduled search then 'something' will always be written regardless of the number of results obtained.

| append [|stats count |eval count="complete"| rename count as "info_search_marker" ]

You'll then need to just get rid of this line when you retrieve the results later.

| fields - info_search_marker

musskopf
Builder

I was having similar issue here, Splunk doesn't create the result file, if nothing is returned... It's a shame as only adds coding overhead on something should be straight-forward. Anyway, thanks for the tip!

0 Karma

RiccardoV
Communicator

thanks A LOT! It works like a charm!
Then, you confirm that is a known issue that Splunk doesn't create a results.csv.gz file if the scheduled search returns no results?
thanks again!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...