Hi,
I have a Search Head Cluster of 4 Search Heads and have configured a few saved searches. My SPLUNK version is 6.3.
I use the loadjob command to get the latest result of my saved searches.
Activity -> Jobs shows me the saved search in "Done" Status (screen shot: pic 1)
However, when I click on the link which takes me to the Search App, it throws me an error (screen shot: pic 2)
Is it a bug in 6.3 or am I going wrong somewhere?
Thank you!
Ishaan
Could be a few things.
1. Try changing the owner of the scheduled job to nobody (instead of admin, and then change your loadjob command accordingly) (edit local.meta within the app context of your saved search to do this)
2. The scheduled search could be getting skipped (check by going to Settings -> System Activity -> Scheduler reports)
3. The dispatch directory could be full for the admin user, check dispatch directory size and limits
4. The scheduled search name could be misspelled in the loadjob command
5. The app context that the saved search lives in could be incorrect in the loadjob command
Is loadjob working for any of your other searches? Did the problem just start after upgrading to 6.3?
EDIT: Just noticed that in your job scheduler, while it says completed, it also returned 0 events. If you run the saved search manually does it return events? If not, troubleshoot the search.
Could be a few things.
1. Try changing the owner of the scheduled job to nobody (instead of admin, and then change your loadjob command accordingly) (edit local.meta within the app context of your saved search to do this)
2. The scheduled search could be getting skipped (check by going to Settings -> System Activity -> Scheduler reports)
3. The dispatch directory could be full for the admin user, check dispatch directory size and limits
4. The scheduled search name could be misspelled in the loadjob command
5. The app context that the saved search lives in could be incorrect in the loadjob command
Is loadjob working for any of your other searches? Did the problem just start after upgrading to 6.3?
EDIT: Just noticed that in your job scheduler, while it says completed, it also returned 0 events. If you run the saved search manually does it return events? If not, troubleshoot the search.
loadjob is very buggy.
It fails for many reasons: spaces in the saved search name, custom apps, and subsearches.
Utterly useless command until they fix it.
I had this issue, too. The cause of the issue was a wrong/ deprecated savedsearch load command. Changed the search on the dashboard to the correct one.
| loadjob savedsearch="nobody:otcsmonitor_prod:WeeklyUsageReport" | transpose | rename column as Metric | rename "row 1" as Value
The saved search is listed fine in "Reports". There is no issue with name or permission or app context. The dispatch directory is very small.
I tried to see the history of the saved searches but did not find anything in Activity -> Scheduler activity by saved search :
Am I looking at the right place?
P.S.: I am using a SHC. Not sure if more people have faced this issue in a cluster env rather than standalone setup. I have not used saved searches in previous version so I am not sure.
Thanks in advance,
Ishaan