Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

monitor failed jobs

sarit_s
Communicator
‎10-11-2020 03:45 AM

Hello

i want to create a dashboard that monitors the failed job (savedsearches the i can see in the activity page)

how can search for failed jobs ? 
i saw that ITSI can do it but i wonder if there is a way to do it with Splunk itself

 

thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-11-2020 01:28 PM

Check...

 | rest /services/search/jobs | where isFailed=1

Or

| rest /services/search/jobs | search isFailed=1

 

PS - Karma points are appreciated, if a reply solved your problem, please accept it as the solution. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

View solution in original post

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-11-2020 05:43 AM

Hi Sarit, Please check these search queries:

| rest /services/search/jobs
| table dispatchState *.search

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎10-11-2020 06:29 AM

the first one looks close to what i want. is there a way to filter so i will see only failed jobs ?

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-11-2020 07:48 AM

| rest /services/search/jobs isFailed=1

this will list only failed jobs. 

 

if this solved your query, please accept this as the solution.  

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎10-11-2020 12:54 PM

well, there is something weird

even thought im searching for isFailed=1 im getting results of isFailed=0

image below

Preview file
13 KB
0 Karma
Reply
Solved! Jump to solution
Solution

inventsekar
SplunkTrust
SplunkTrust
‎10-11-2020 01:28 PM

Check...

 | rest /services/search/jobs | where isFailed=1

Or

| rest /services/search/jobs | search isFailed=1

 

PS - Karma points are appreciated, if a reply solved your problem, please accept it as the solution. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-11-2020 05:32 AM

i assumed that "failed jobs" meaning, some app related failed jobs. 

for splunk's failed jobs, 

Splunk GUI---->Activity---> Jobs---> Status dropdown, select Failed.

or, the page URL is(pls update your splunk link on this below URL)

https://yourcompany.splunk.com/en-US/app/search/job_manager?owner=&jobStatus=failed

 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎10-11-2020 06:05 AM

I know it is there

i want to monitor this jobs and add it as dashboard panel

is there a query that can give me the results ?

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎10-11-2020 05:15 AM

Hi @sarit_s by Splunk also, its possible. 

the applications logs are already ingested to splunk, we hope. and if you are not sure how to search for the failed jobs, then, maybe, you start from the hostname. simply search for the host which is running the app. 

then, from the events list, you can find out the source/sourcetype. you may need to do field extractions using the rex command. 

let us know how your search goes, so that we can help you. thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply
Solved! Jump to solution

sarit_s
Communicator
‎10-11-2020 05:19 AM

In the jobs list i see the inpect job option. I see there field name dispatchedStatus but i cant search for it

 

is there a way to search something like this ?

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...