Reporting

scheduled report result 0

gitingua
Engager

Hi! I created a report, Set up a schedule for every hour. 
Why is the scheduled report showing 0 results but running the same search run manually and yielding events?

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gitingua,

check if the data that you have manually running your search are in the time window of the scheduled report.

In other words, if you scheduled the report to run at 10.00 taking logs in the last hour, check if there were logs from 9.00 to 10.00, maybe manually running your report at 10.15 you have logs after 10.00 but not before.

In this case you have to reschedule your report.

Ciao.

Giuseppe

0 Karma

gitingua
Engager

data is present in the given range

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gitingua,

it's difficoult to debug the report without seeing it!

Anyway, check the user running the scheduled report and, if possible, give (eventually only for test) the grant to everyone in read to all the knowledge objects (eventtypes, fields, lookups, etc...) used in the report.

Ciao.

Giuseppe

0 Karma

gitingua
Engager

Hello. I have an admin role. 

Sharing - > global (all apps)  

inspect job

The following messages were returned by the search subsystem:

info : No results. Created empty file 'file.csv'

info : Your timerange was substituted based on your search string

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @gitingua,

Could you share your report?

Ciao.

Giuseppe

0 Karma

gitingua
Engager

@gcusello 

index=«indexname»  earliest=-1w@w latest=now

| table abc1 abc2 abc3 

| join abc3 type=left[

    | search index=«indexname» earliest=1 latest=now

    | table abc3,abc4, abc5]

    | regex abc4="^(?:10|9)\.[59]$"

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gitingua,

what does it mean "earliest=1"?

Ciao.

Giuseppe

0 Karma

gitingua
Engager

@gcusello  are there any solutions ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gitingua,

so events with sourcetype1 arreve every week and events with sourcetype2 arrive every month, is it correct?

Please try this different approach to regex, because probably the problem is that there's the limit of 50,000 results in subsearches:

(index=your_index earliest=-1w@w latest=now) OR (index=your_index earliest=-1mon@mon latest=now)
| stats values(abc1) AS abc1 values(abc2) AS abc2 values(abc4) AS abc4 values(abc5) AS abc5 BY abc3

Sorry I cannor read the regex, please, when you share code 8especially regexes) use the "Insert/Edit Code Sample" button.

Ciao.

giuseppe

0 Karma

gitingua
Engager

 @gcusello 

earliest=1 latest=now it is (all time.) 

there are two sourcetype in the index

sourcetype1 = abc1, abc2, abc3

sourcetype2 = abc3, abc4, abc5

In the "sourcetype1", data is received every week

In a "sourcetype2", data is received every month

0 Karma