Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

scheduled searches not showing as scheduled

jstockamp
Communicator
‎06-14-2011 11:11 AM

I've got about 5 searches that I want to be scheduled so that I can include them in a dashboard. I've set them all to be scheduled using cron and set the cron schedule as "0 1 * * *" to run every morning at 1AM. This all looks correct when I'm looking at the properties of the saved search in splunk web, but when I look at the list of saved searches the "scheduled time" shows "none".

If I look at $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf I see


[rpt_All_Yesterday_Hits_by_Product]
action.email.inline = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 0 1 * * *
dispatch.earliest_time = -1d@d
dispatch.latest_time = @d
displayview = report_builder_display
enableSched = 1
realtime_schedule = 0
request.ui_dispatch_view = report_builder_display
search = eventtype="evt_all"| timechart count(linecount) as Hits by product
vsid = *:goolxglv

Anyone have any ideas why splunkweb is not showing this as a scheduled search? If i look at "view recent" it's definitely not running as a scheduled search.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jstockamp
Communicator
‎06-14-2011 12:17 PM

Thanks for the tip. How would I go about removing "local.meta" permissions? Renaming the search everytime I make a change seems problematic.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jstockamp
Communicator
‎06-14-2011 12:17 PM

Thanks for the tip. How would I go about removing "local.meta" permissions? Renaming the search everytime I make a change seems problematic.

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-14-2011 12:31 PM

You don't need to rename the search, just find the search entry in the local.meta file which is in $SPLUNK_HOME/etc/apps//metadata/local.meta and remove the stanza. This may require a restart.

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-14-2011 11:32 AM

jstockamp,

I believe this is being caused by a known issue in 4.2.0/4.2.1 where a saved search loses it's schedule when edited via manager. Removing local.meta permissions for the search seems to fix the issue.

See Searches Losing Their Schedule

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-15-2011 11:33 AM

FYI; This is resolved in 4.2.2 per release note "Scheduled saved search loses scheduled time when converted from private to global permissions (All apps). Scheduled time resets to None. (SPL-38616)"

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...