- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Scheduled searches are not being run?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I've made several searches to run at once (they run every 24 hours at 10am) but I can't seem to view the results of those searches, and the view which is using this search is NOT using any cached results - it just re-runs the search each time the view is loaded.
Is there a way to check if the searches ran (so I can tell if it's a problem with the search or view)
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is info in scheduler.log. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.
index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name
Hope this helps,
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It turns out, we were just having problems with all our scheduled searches. I've just checked up on them, and they're all running fine now 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is info in scheduler.log. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.
index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name
Hope this helps,
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is an index called _internal, trust me.
However, your user account/role may not have access to search it.
Check with your splunk administrator to go into Manager -> Access Controls -> Roles -> <your_role>, and check at bottom of the page. There are settings for which indexes you can search.
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried using that search - but no results were returned, in fact there is no '_internal' index or scheduler.log...
The frustrating thing is that this could have been the answer to all my problems 😞
Using pre-existing scheduled searches made by the admin, I managed to get these working on my dash, but the searches I've made (as a power user) don't work at all (despite the settings being totally identical)
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
