Splunk Search

Scheduled report delivered without any results in CSV file

Communicator

Hi There,
I have scheduled a report to run and generate the CSV file and sent it over email, it had been working till last 2-3 weeks, hence then I am getting the report delivered but when I open the CSV file I don't see the results. I see following errors in the Job inspector:

 The following messages were returned by the search subsystem:
    info : No matching fields exist
    warn : Search filters specified using splunk_server/splunk_server_group do not match any search peer.
    warn : [subsearch]: Search filters specified using splunk_server/splunk_server_group do not match any search peer.

The same report has been scheduled for lesser period, it is delivering the results without any issues.
Please suggest any fix for this issue?

I have looked in answers and found https://answers.splunk.com/answers/235656/my-searches-are-failing-on-search-head-with-error.html

https://answers.splunk.com/answers/208043/unable-to-run-any-search-query-warn-search-filters.html
I don't think both of these are applicable here as I am getting the results delivered in scheduled report for lesser time period

0 Karma

SplunkTrust
SplunkTrust

Apparently you're specifying a splunk_server=Something OR splunk_server_group=something in your search and there isn't a splunk_server or splunk_server_group that matches what you're specifying.

If you're not specifying those key values in your search then perhaps your admins have created a search filter for your role that is causing the same key values to be added to your search.

0 Karma

Esteemed Legend

SHOW US YOUR SEARCH SPL! Or better yet, the entire stanza from savedsearches.conf.

0 Karma