Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Scheduled report only intermittently adding data to index

AliDodd
Loves-to-Learn
‎08-05-2024 07:09 AM

We have a scheduled report that passes data using "collect" & targeting an index which was running fine on schedule and the information was appearing in the index. It started only intermittently working and now the scheduled occurrences have stopped placing data into the index. The search is still perfectly functional and has results, I cannot work out why these are not being recorded. No change to the search used or the systems.

Search used:

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="pwdLastset,sAMAccountName,extensionAttribute8,info" |
fields "_time", "extensionAttribute8", "pwdLastSet", "sAMAccountName","info" | where isnotnull('extensionAttribute8') | collect index="ldap_ad"

 

Tried adding 'spool=true' at the end and doing 'addinfo' prior to the collect, neither makes a difference to the search or the report, no data appears in ldap_ad

Labels (1)
Labels
0 Karma
Reply

KendallW
Contributor
‎08-05-2024 06:20 PM

Hi @AliDodd the first thing to check is whether the scheduled searches are being skipped or failed. You can check this from the job manager or the splunk health dashboard. If so, check the errors in the search.log and scheduler.log files. 

If you still can't find the issue, test the collect command is sending data correctly to the index using a quick makeresults command, e.g. (Assuming there is no problem sending a dummy event to your production index!)

| makeresults | eval test="test" | collect index="ldap_ad"

 

0 Karma
Reply

AliDodd
Loves-to-Learn
‎08-06-2024 05:37 AM

Cheers, I've checked the job manager and the job completes and writes to the stash, as all data is sent on to the indexers (which is is for all other inputs to this HF) that should be fine.

Unfortunately can't use the makeresults command as it needs to be first command in the search which conflicts with the ldapsearch command as that needs the same.

It's almost like the collect command has stopped working..

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...