Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Scheduled searches are not being run?

606866581
Path Finder
‎04-22-2013 02:10 AM

Hi all,
I've made several searches to run at once (they run every 24 hours at 10am) but I can't seem to view the results of those searches, and the view which is using this search is NOT using any cached results - it just re-runs the search each time the view is loaded.

Is there a way to check if the searches ran (so I can tell if it's a problem with the search or view)

Thanks in advance

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-22-2013 03:35 AM

There is info in scheduler.log. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.

index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name

Hope this helps,

/K

View solution in original post

Reply
Solved! Jump to solution

606866581
Path Finder
‎04-30-2013 01:09 AM

It turns out, we were just having problems with all our scheduled searches. I've just checked up on them, and they're all running fine now 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-22-2013 03:35 AM

There is info in scheduler.log. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.

index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name

Hope this helps,

/K

Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-22-2013 08:07 AM

There is an index called _internal, trust me.

However, your user account/role may not have access to search it.

Check with your splunk administrator to go into Manager -> Access Controls -> Roles -> <your_role>, and check at bottom of the page. There are settings for which indexes you can search.

/k

0 Karma
Reply
Solved! Jump to solution

606866581
Path Finder
‎04-22-2013 07:59 AM

I tried using that search - but no results were returned, in fact there is no '_internal' index or scheduler.log...
The frustrating thing is that this could have been the answer to all my problems 😞

Using pre-existing scheduled searches made by the admin, I managed to get these working on my dash, but the searches I've made (as a power user) don't work at all (despite the settings being totally identical)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...