Other Usage

Why does job manager shows 0 events, but job link shows results?

donutgalileo
New Member

Hi,  I have set up a scheduled report that runs every hour and writes the result set to a csv file. Activity->Jobs shows that the report was run per schedule, but I don't see the expected result in the output csv. The job manager shows the search returned 0 events, but when I open the job link, I see more than 6000 results in the table. Why do the events in the show up as 0 in the job manager?

 Screen Shot 2023-03-13 at 1.17.21 PM.png

Screen Shot 2023-03-13 at 1.14.41 PM.png

Screen Shot 2023-03-13 at 1.24.24 PM.png

Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

You are not searching 'events' as such from an index, so the event count is 0. 

As to why you are not seeing the expected results in the events.csv after the search - what appears wrong?

From what I can make out, that events.csv is used as input and output, so unless that csv is being updated elsewhere, the time() - epochTIme will eventually be > 3600 seconds, so all rows will eventually disappear from the csv.

 

0 Karma

donutgalileo
New Member

I need to retain events from last 24 hours in event.csv. I have a scheduled report running every 5 minutes that gets events from the last 5 minutes and appends to events.csv. I don't want this to be unbounded, so I set up another scheduled report that runs every once a day (60 minutes in this case for testing) that limits the data set from the csv and replaces the content in the csv. The first job runs fine, appends results every 5 minutes, the second job appears to run but does not have the intended effect. A timechart from the csv shows data for several hours.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

OK, got it - can you share a redacted example of the events.csv after that search has run, where it includes incorrect information

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...