Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing status for scheduled jobs in scheduler.log

johannthum
Explorer
‎11-08-2018 11:52 PM

Hi all,

I have a SHC in my environment. Today I was troubleshooting an issue where my alert action wasn't firing. After some investigation into the scheduler.log, I found that for the specific search which it wasn't firing, it didn't have an "outcome" status, e.g. skipped, success. The status(es) of the particular sid has only "delegated_remote" and "delegated_remote_completion". The search I ran was:

index=_internal sourcetype=scheduler savedsearch_name="" |stats min(_time) as _time values(status) as status by sid | search status!="success" | sort - _time

Referring to the post below,

https://answers.splunk.com/answers/217666/what-does-statusdelegated-remote-or-statusdelegate.html

"delegated_remote" and "delegated_remote_completion" are generated from the captain as it tries to delegate to job to SH member.

May I know what it implies if a search doesn't have a status? Thanks in advance!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...