Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

retrieve the date of the last execution of a scheduled search

RiccardoV
Communicator
‎10-08-2013 06:26 AM

Hi,
I'm running Splunk 5.0.5 and I'm looking for a way to retrieve the date of the last execution of a scheduled search, because I want to print that date on a dashboard, writing something like "last update: xxxx".

I know that I can see that date from the manager panel, but I'm looking for a way to insert it into a dashboard 🙂

thanks

Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2013 07:37 AM

Perhaps something like this?

index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" savedsearch_name=<scheduled-search-name> | eval lastRun=_time |
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

splunk6161
Path Finder
‎07-04-2019 08:18 AM

On splunk 7.1.2 doesn't work, can anyone check it?

0 Karma
Reply
Solved! Jump to solution

memarshall63
Communicator
‎07-04-2019 10:17 AM

On 7.2, one way.. 

index=_internal sourcetype=scheduler savedsearch_name="Bucket Copy Trigger" 
| stats latest(_time) as late_time 
| eval late_time_str = strftime(late_time,"%c")
0 Karma
Reply
Solved! Jump to solution

splunk6161
Path Finder
‎07-05-2019 03:05 AM

Doesn't work already when i write index=_internal sourcetype=scheduler
My splunk enterprise upgraded to 7.3.0
How sourcetype i have only these:
dbx*
splunkd

0 Karma
Reply
Solved! Jump to solution

memarshall63
Communicator
‎07-05-2019 10:01 AM

Aahh.. sure.. Any base search will work as long as you have events in it. So try..

index=_internal sourcetype=splunkd
 | stats latest(_time) as late_time 
 | eval late_time_str = strftime(late_time,"%c")

I don't know about 7.3.0.. haven't get there yet, but I imagine it will work.

This returns the latest time in a set of records. If you're specifically looking for the last run of a saved search you'll have to get access to index=_internal sourcetype=scheduler. It's possible that your user has been excluded from that data.

0 Karma
Reply
Solved! Jump to solution

splunk6161
Path Finder
‎07-10-2019 02:05 AM

I tried with admin and i have same result so i can't filter sourcetype by scheduler.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2013 07:37 AM

Perhaps something like this?

index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" savedsearch_name=<scheduled-search-name> | eval lastRun=_time |
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

RiccardoV
Communicator
‎10-08-2013 07:49 AM

thanks richgalloway, I started from your hint and I resolve with:

index=_internal savedsearch_id="user;apps;label" | stats max(_time) AS lastRun | convert ctime(lastRun)

thanks again 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...