Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: Scheduled report error -- Search process did n...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When running the following manually there are no issues. But when this is scheduled the following error is noted and half the information is not present.
[subsearch]: [1spl-ind04-dc1] Search process did not exit cleanly, exit_code=-1, description="exited with code -1". Please look in search.log for this peer in the Job Inspector for more info.
[subsearch]: [1spl-ind04-dc2] Search process did not exit cleanly, exit_code=-1, description="exited with code -1". Please look in search.log for this peer in the Job Inspector for more info.
|inputlookup idstoroles.csv | where like (role_name,"%External User%") | join type=left user_id[search index=onelogin event_type_id=5 |eval mytime=strftime(_time, "%Y-%m-%d") |lookup idstoroles.csv user_id
|stats distinct_count(mytime) as "total logins" by role_name,user_name,user_id |where like(role_name, "%External User%")] | table username,user_name, firstname, lastname, user_id, "total logins" |outputlookup logins.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems likely the subsearch is running out of space or time. There's an easy way to invert the search, though, so that won't happen.
Try running this version ... if it gets the same result, then use it instead, and add the outputlookup on the end.
index=onelogin event_type_id=5
| eval mytime=strftime(_time, "%Y-%m-%d")
| lookup idstoroles.csv user_id
| stats distinct_count(mytime) as logcount by role_name, user_name, user_id
| where like(role_name, "%External User%")
| append [ | inputlookup idstoroles.csv
| where like (role_name,"%External User%")
| table role_name, user_name, user_id
| eval logcount=0
]
| stats sum(logcount) as "total logins" by role_name, user_name, user_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems likely the subsearch is running out of space or time. There's an easy way to invert the search, though, so that won't happen.
Try running this version ... if it gets the same result, then use it instead, and add the outputlookup on the end.
index=onelogin event_type_id=5
| eval mytime=strftime(_time, "%Y-%m-%d")
| lookup idstoroles.csv user_id
| stats distinct_count(mytime) as logcount by role_name, user_name, user_id
| where like(role_name, "%External User%")
| append [ | inputlookup idstoroles.csv
| where like (role_name,"%External User%")
| table role_name, user_name, user_id
| eval logcount=0
]
| stats sum(logcount) as "total logins" by role_name, user_name, user_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@agreer,
can you please check first pipe symbol is present i.e., before inputlookup command in your scheduled search and report. sometime when do save as report option from search bar. pipe symbol will be missed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The pipe is there. I have also seen other answers state this is due to permissions. I have had a super user create the same report with the same result.
What Is Splunk? Here’s What You Can Do with Splunk
Level Up Your .conf25: Splunk Arcade Comes to Boston
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
