How to edit my search to display the status of my ...

ramstolentino · ‎05-30-2017

Hi, I am currently using the search below to get the status of my saved searches.

index=_internal sourcetype=scheduler | eval dispatch_time=strftime(dispatch_time, "%B %d %H:%M:%S") | table savedsearch_name status dispatch_time run_time result_count | sort dispatch_time

However, I want to see the following status:

running;
not running
completed ("success" is OK)

Any suggestions? Thanks!

tlam_splunk · ‎06-01-2017

I think your search command is trying to get the status from the scheduler.log.
In scheduler.log, I don’t think it has the ‘running' status. In general, you could take status = success As 'completed' , other than success, you could take it as ‘not completed’.

woodcock · ‎05-31-2017

Why not use the REST API?

| rest/servicesNS/-/-/saved/searches

cmerriman · ‎05-31-2017

by "not running" are you referring to saved searches that are not on a schedule? otherwise, in my opinion, if they are "not running" they would be "completed". I've never seen a "running" status, but I suppose i've never looked while i had a search running before.

How to edit my search to display the status of my saved searches?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation

How to edit my search to display the status of my saved searches?

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!