Re: Scheduled search with only | inputlookup in th...

SteveBowser · ‎11-21-2024

I created a scheduled search that reads 2 input lookup csv files. It returns zero results when I look at the "View Recent"/Job Manager. When I run it by clicking the "Run" selection, I get the results that I'm looking for. What am I overlooking?

SteveBowser · ‎12-09-2024

Answering my own question here - it needs to have dates to display results. In the end, I wrote the results to a summary index in a scheduled search using | collect index=test_summary addtime=true.

SteveBowser · ‎11-27-2024

There are no timestamps in the lookup table. When I plug one in, I get the desired results.

SteveBowser · ‎11-21-2024

Sorry, I have access to the files.

ITWhisperer · ‎11-21-2024

Which user does the scheduled search run as and do they have access to the lookup files?

SteveBowser · ‎11-21-2024

It's under my username, with Admin privileges.

Scheduled search with only | inputlookup in the search returns zero results

administration

using Splunk Enterprise

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation