Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

scheduled searches not showing as scheduled

jstockamp
Communicator
‎06-14-2011 11:11 AM

I've got about 5 searches that I want to be scheduled so that I can include them in a dashboard. I've set them all to be scheduled using cron and set the cron schedule as "0 1 * * *" to run every morning at 1AM. This all looks correct when I'm looking at the properties of the saved search in splunk web, but when I look at the list of saved searches the "scheduled time" shows "none".

If I look at $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf I see


[rpt_All_Yesterday_Hits_by_Product]
action.email.inline = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 0 1 * * *
dispatch.earliest_time = -1d@d
dispatch.latest_time = @d
displayview = report_builder_display
enableSched = 1
realtime_schedule = 0
request.ui_dispatch_view = report_builder_display
search = eventtype="evt_all"| timechart count(linecount) as Hits by product
vsid = *:goolxglv

Anyone have any ideas why splunkweb is not showing this as a scheduled search? If i look at "view recent" it's definitely not running as a scheduled search.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jstockamp
Communicator
‎06-14-2011 12:17 PM

Thanks for the tip. How would I go about removing "local.meta" permissions? Renaming the search everytime I make a change seems problematic.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jstockamp
Communicator
‎06-14-2011 12:17 PM

Thanks for the tip. How would I go about removing "local.meta" permissions? Renaming the search everytime I make a change seems problematic.

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-14-2011 12:31 PM

You don't need to rename the search, just find the search entry in the local.meta file which is in $SPLUNK_HOME/etc/apps//metadata/local.meta and remove the stanza. This may require a restart.

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-14-2011 11:32 AM

jstockamp,

I believe this is being caused by a known issue in 4.2.0/4.2.1 where a saved search loses it's schedule when edited via manager. Removing local.meta permissions for the search seems to fix the issue.

See Searches Losing Their Schedule

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-15-2011 11:33 AM

FYI; This is resolved in 4.2.2 per release note "Scheduled saved search loses scheduled time when converted from private to global permissions (All apps). Scheduled time resets to None. (SPL-38616)"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...