Hi
I created a scheduled search with the below search string
sourcetype="MME_Reject-3" | eval indextime=_indextime | eval tnow=now() | eval diff=tnow-indextime | sort + diff | where diff<60 | reverse | table _raw | outputcsv 4G_REJECT_LOG.txt
The source is fed by a forwarder that forwards data from windows machine
The search brings results whenever it is force run but when it runs using the schedule of 1 minute it doesn't bring any result
Can someone throw light on what the problem could be. splunkd.log doesn't display any error
Found it out. The dispatch.ttl was the culprit. I changed it to 1 second and everything is fine now
Found it out. The dispatch.ttl was the culprit. I changed it to 1 second and everything is fine now