Reporting

scheduled report result 0

gitingua
Communicator

Hi! I created a report, Set up a schedule for every hour. 
Why is the scheduled report showing 0 results but running the same search run manually and yielding events?

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gitingua,

check if the data that you have manually running your search are in the time window of the scheduled report.

In other words, if you scheduled the report to run at 10.00 taking logs in the last hour, check if there were logs from 9.00 to 10.00, maybe manually running your report at 10.15 you have logs after 10.00 but not before.

In this case you have to reschedule your report.

Ciao.

Giuseppe

0 Karma

gitingua
Communicator

data is present in the given range

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gitingua,

it's difficoult to debug the report without seeing it!

Anyway, check the user running the scheduled report and, if possible, give (eventually only for test) the grant to everyone in read to all the knowledge objects (eventtypes, fields, lookups, etc...) used in the report.

Ciao.

Giuseppe

0 Karma

gitingua
Communicator

Hello. I have an admin role. 

Sharing - > global (all apps)  

inspect job

The following messages were returned by the search subsystem:

info : No results. Created empty file 'file.csv'

info : Your timerange was substituted based on your search string

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @gitingua,

Could you share your report?

Ciao.

Giuseppe

0 Karma

gitingua
Communicator

@gcusello 

index=«indexname»  earliest=-1w@w latest=now

| table abc1 abc2 abc3 

| join abc3 type=left[

    | search index=«indexname» earliest=1 latest=now

    | table abc3,abc4, abc5]

    | regex abc4="^(?:10|9)\.[59]$"

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gitingua,

what does it mean "earliest=1"?

Ciao.

Giuseppe

0 Karma

gitingua
Communicator

@gcusello  are there any solutions ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @gitingua,

so events with sourcetype1 arreve every week and events with sourcetype2 arrive every month, is it correct?

Please try this different approach to regex, because probably the problem is that there's the limit of 50,000 results in subsearches:

(index=your_index earliest=-1w@w latest=now) OR (index=your_index earliest=-1mon@mon latest=now)
| stats values(abc1) AS abc1 values(abc2) AS abc2 values(abc4) AS abc4 values(abc5) AS abc5 BY abc3

Sorry I cannor read the regex, please, when you share code 8especially regexes) use the "Insert/Edit Code Sample" button.

Ciao.

giuseppe

0 Karma

gitingua
Communicator

 @gcusello 

earliest=1 latest=now it is (all time.) 

there are two sourcetype in the index

sourcetype1 = abc1, abc2, abc3

sourcetype2 = abc3, abc4, abc5

In the "sourcetype1", data is received every week

In a "sourcetype2", data is received every month

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...