Reporting

Why am I getting loadjob error "Cannot find artifacts for savedsearch_ident..." trying to get latest saved search results in Splunk 6.3?

ishaanshekhar
Communicator

Hi,

I have a Search Head Cluster of 4 Search Heads and have configured a few saved searches. My SPLUNK version is 6.3.

I use the loadjob command to get the latest result of my saved searches.

Activity -> Jobs shows me the saved search in "Done" Status (screen shot: pic 1)

However, when I click on the link which takes me to the Search App, it throws me an error (screen shot: pic 2)

Is it a bug in 6.3 or am I going wrong somewhere?

Thank you!
Ishaan

alt text

0 Karma
1 Solution

masonmorales
Influencer

Could be a few things.
1. Try changing the owner of the scheduled job to nobody (instead of admin, and then change your loadjob command accordingly) (edit local.meta within the app context of your saved search to do this)
2. The scheduled search could be getting skipped (check by going to Settings -> System Activity -> Scheduler reports)
3. The dispatch directory could be full for the admin user, check dispatch directory size and limits
4. The scheduled search name could be misspelled in the loadjob command
5. The app context that the saved search lives in could be incorrect in the loadjob command

Is loadjob working for any of your other searches? Did the problem just start after upgrading to 6.3?

EDIT: Just noticed that in your job scheduler, while it says completed, it also returned 0 events. If you run the saved search manually does it return events? If not, troubleshoot the search.

View solution in original post

masonmorales
Influencer

Could be a few things.
1. Try changing the owner of the scheduled job to nobody (instead of admin, and then change your loadjob command accordingly) (edit local.meta within the app context of your saved search to do this)
2. The scheduled search could be getting skipped (check by going to Settings -> System Activity -> Scheduler reports)
3. The dispatch directory could be full for the admin user, check dispatch directory size and limits
4. The scheduled search name could be misspelled in the loadjob command
5. The app context that the saved search lives in could be incorrect in the loadjob command

Is loadjob working for any of your other searches? Did the problem just start after upgrading to 6.3?

EDIT: Just noticed that in your job scheduler, while it says completed, it also returned 0 events. If you run the saved search manually does it return events? If not, troubleshoot the search.

sansay
Contributor

loadjob is very buggy.
It fails for many reasons: spaces in the saved search name, custom apps, and subsearches.
Utterly useless command until they fix it.

madingdisk
Explorer

I had this issue, too. The cause of the issue was a wrong/ deprecated savedsearch load command. Changed the search on the dashboard to the correct one.

| loadjob savedsearch="nobody:otcsmonitor_prod:WeeklyUsageReport" | transpose | rename column as Metric | rename "row 1" as Value

0 Karma

ishaanshekhar
Communicator

The saved search is listed fine in "Reports". There is no issue with name or permission or app context. The dispatch directory is very small.

I tried to see the history of the saved searches but did not find anything in Activity -> Scheduler activity by saved search :

alt text

Am I looking at the right place?

P.S.: I am using a SHC. Not sure if more people have faced this issue in a cluster env rather than standalone setup. I have not used saved searches in previous version so I am not sure.

Thanks in advance,
Ishaan

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...