I've got about 5 searches that I want to be scheduled so that I can include them in a dashboard. I've set them all to be scheduled using cron and set the cron schedule as "0 1 * * *" to run every morning at 1AM. This all looks correct when I'm looking at the properties of the saved search in splunk web, but when I look at the list of saved searches the "scheduled time" shows "none".
If I look at $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf I see
[rpt_All_Yesterday_Hits_by_Product] action.email.inline = 1 alert.suppress = 0 alert.track = 0 cron_schedule = 0 1 * * * dispatch.earliest_time = -1d@d dispatch.latest_time = @d displayview = report_builder_display enableSched = 1 realtime_schedule = 0 request.ui_dispatch_view = report_builder_display search = eventtype="evt_all"| timechart count(linecount) as Hits by product vsid = *:goolxglv
Anyone have any ideas why splunkweb is not showing this as a scheduled search? If i look at "view recent" it's definitely not running as a scheduled search.
I believe this is being caused by a known issue in 4.2.0/4.2.1 where a saved search loses it's schedule when edited via manager. Removing local.meta permissions for the search seems to fix the issue.
FYI; This is resolved in 4.2.2 per release note "Scheduled saved search loses scheduled time when converted from private to global permissions (All apps). Scheduled time resets to None. (SPL-38616)"
Thanks for the tip. How would I go about removing "local.meta" permissions? Renaming the search everytime I make a change seems problematic.
You don't need to rename the search, just find the search entry in the local.meta file which is in $SPLUNK_HOME/etc/apps/