Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Scheduled searches are not being run?

606866581
Path Finder
‎04-22-2013 02:10 AM

Hi all,
I've made several searches to run at once (they run every 24 hours at 10am) but I can't seem to view the results of those searches, and the view which is using this search is NOT using any cached results - it just re-runs the search each time the view is loaded.

Is there a way to check if the searches ran (so I can tell if it's a problem with the search or view)

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-22-2013 03:35 AM

There is info in scheduler.log. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.

index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name

Hope this helps,

/K

View solution in original post

Reply
Solved! Jump to solution

606866581
Path Finder
‎04-30-2013 01:09 AM

It turns out, we were just having problems with all our scheduled searches. I've just checked up on them, and they're all running fine now 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-22-2013 03:35 AM

There is info in scheduler.log. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.

index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name

Hope this helps,

/K

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-22-2013 08:07 AM

There is an index called _internal, trust me.

However, your user account/role may not have access to search it.

Check with your splunk administrator to go into Manager -> Access Controls -> Roles -> <your_role>, and check at bottom of the page. There are settings for which indexes you can search.

/k

0 Karma
Reply
Solved! Jump to solution

606866581
Path Finder
‎04-22-2013 07:59 AM

I tried using that search - but no results were returned, in fact there is no '_internal' index or scheduler.log...
The frustrating thing is that this could have been the answer to all my problems 😞

Using pre-existing scheduled searches made by the admin, I managed to get these working on my dash, but the searches I've made (as a power user) don't work at all (despite the settings being totally identical)

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...