Hi everyone,
I recently took over a project by someone who is no longer with my employer. He made several scheduled searches that write to an index, and it was working great. However last month out of nowhere it just stopped working. Supposedly no changes were made.
The other searches are working, it's just this one. The search runs just fine, gets the expected results, but the results aren't being exported to the index.
I actually found another post on here with someone who looked to have the same problem, but it wasn't successfully answered.
Another post suggested that a forwarder might be a solution. Does that seem right? I'd rather avoid that solution as I don't want to be installing apps on this environment, but if necessary I will get the permission. Just want to make sure that's a probable solution before doing so.
Figured it out, needed to add an eval column with the current time to match with the live results
Figured it out, needed to add an eval column with the current time to match with the live results
Hi @Aroot002,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @Aroot002,
I suppose that you manually checked the scheduled search, but you checked it in the same time windows of the scheduled search?, in other words, if you search must run at 01.00 and there'a a condition earliest=now, you cannot check it at a different time, so try it again using the same time frame of the scheduled search.
Ciao.
Giuseppe
My earliest is 45 days ago and my latest is the current hour, as it is a scheduled hourly search. Results look exactly as they should but are not being written to the index.
Even so, if I run the search manually shouldn't the results of that search be written to the index? That's not happening.
Hi @Aroot002 ,
if the collect command is at the end of your scheduled search, also manually running it results are written in the summary index.
Ciao.
Giuseppe
Yes, the last line is
| collect index=indexname source=sourcename
But when I run simply
index=indexname
after running that search, those results don't show up. Everything was working fine until one day in January when it just stopped writting results to the index.