Reporting

retrieve the date of the last execution of a scheduled search

Communicator

Hi,
I'm running Splunk 5.0.5 and I'm looking for a way to retrieve the date of the last execution of a scheduled search, because I want to print that date on a dashboard, writing something like "last update: xxxx".

I know that I can see that date from the manager panel, but I'm looking for a way to insert it into a dashboard 🙂

thanks

1 Solution

SplunkTrust
SplunkTrust

Perhaps something like this?

index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" savedsearch_name=<scheduled-search-name> | eval lastRun=_time | 
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Path Finder

On splunk 7.1.2 doesn't work, can anyone check it?

0 Karma

Communicator

On 7.2, one way..

index=_internal sourcetype=scheduler savedsearch_name="Bucket Copy Trigger" 
| stats latest(_time) as late_time 
| eval late_time_str = strftime(late_time,"%c")
0 Karma

Path Finder

Doesn't work already when i write index=_internal sourcetype=scheduler
My splunk enterprise upgraded to 7.3.0
How sourcetype i have only these:
dbx*
splunkd

0 Karma

Communicator

Aahh.. sure.. Any base search will work as long as you have events in it. So try..

index=_internal sourcetype=splunkd
 | stats latest(_time) as late_time 
 | eval late_time_str = strftime(late_time,"%c")

I don't know about 7.3.0.. haven't get there yet, but I imagine it will work.

This returns the latest time in a set of records. If you're specifically looking for the last run of a saved search you'll have to get access to index=_internal sourcetype=scheduler. It's possible that your user has been excluded from that data.

0 Karma

Path Finder

I tried with admin and i have same result so i can't filter sourcetype by scheduler.

0 Karma

SplunkTrust
SplunkTrust

Perhaps something like this?

index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" savedsearch_name=<scheduled-search-name> | eval lastRun=_time | 
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Communicator

thanks richgalloway, I started from your hint and I resolve with:

index=internal savedsearchid="user;apps;label" | stats max(_time) AS lastRun | convert ctime(lastRun)

thanks again 🙂

0 Karma