I run the following to get a list of Saved / skipped searches thru the Monitoring console for my ES (Splunk ES). I need a field added to show the reason for failure / why skipped the searches. Thanks a million in advance for your help.
`dmc_set_index_internal` search_group=dmc_group_search_head search_group=* sourcetype=scheduler (status="completed" OR status="skipped" OR status="deferred") | stats count(eval(status=="completed" OR status=="skipped")) AS total_exec, count(eval(status=="skipped")) AS skipped_exec by _time, host, app, savedsearch_name, user, savedsearch_id | where skipped_exec > 0
`dmc_set_index_internal` search_group=dmc_group_search_head search_group=* sourcetype=scheduler (status="completed" OR status="skipped" OR status="deferred")
| stats count(eval(status=="completed" OR status=="skipped")) AS total_exec, count(eval(status=="skipped")) AS skipped_exec by _time, host, app, savedsearch_name, user, savedsearch_id, reason
| where skipped_exec > 0
The stats command strips out all of the fields not referenced in the command. If you re-run the query using only the part before the first pipe then you'll see the field you seek. Add it to the by clause of the stats command.
I thank u for your message. I tried to follow what you stated but did not see the result I wanted. Please show me what part of my SPL listed I should be running to receive what you stated. Thank u
`dmc_set_index_internal` search_group=dmc_group_search_head search_group=* sourcetype=scheduler (status="completed" OR status="skipped" OR status="deferred")
| stats count(eval(status=="completed" OR status=="skipped")) AS total_exec, count(eval(status=="skipped")) AS skipped_exec by _time, host, app, savedsearch_name, user, savedsearch_id, reason
| where skipped_exec > 0
Happy Thursday & Thank u sir for your help. Stay safe & blessed.