Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to identify a scheduled savedsearch failed or successed?

splunkrocks2014
Communicator
‎07-13-2017 08:01 AM

Hi. I used the following query to find out if a savedsearch failed or successed from the schedule:

index="_internal" source="*scheduler.log" savedsplunker

However, there are 6 different status from Splunk, "success", "delegated_remote_completion", "delegated_remote", "continued", "skipped", "delegated_remote_error" and a savedsearch has more than one status within the same time. If I want to identify if a savedsearch failed or successed only, what status or other fields or word patterns should I used? Thanks.

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎07-13-2017 08:14 AM

YOu should take the latest status based on the scheduled_time and savedsearch name (or id). like this

index=_internal sourcetype=scheduler 
| stats latest(status) as status by savedsearch_id scheduled_time

This will give you appropriate status for each scheduled instances of the saved search (if you selected time range as 1 hr and your search runs every 15 mins, you will get 4 rows for each of 4 execution). If you just want to see the latest execution's status, remove scheduled_time from stats in above query.

Reply

cmerriman
Super Champion
‎07-13-2017 08:11 AM

this is what i use for saved searches/data models/accelerated searches, i just tweak the search_type

index="_internal" sourcetype="scheduler"   search_type=scheduled
            | eval scheduled=strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") 
            | rex field=savedsearch_name "_ACCELERATE_DM_controlup_iop_(?<dm_node>.*)_ACCELERATE_"
            | stats values(scheduled) as scheduled
                    values(savedsearch_name) as search_name
                    values(status) as status
                    values(reason) as reason
                    values(run_time) as run_time 
                    values(dm_node) as dm_node
                    values(sid) as sid
                    by _time,savedsearch_name |  sort -scheduled
            | table scheduled, search_name, status, reason, run_time
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...