Splunk Search

What is scheduler log event status=Continued ?

nishantkumar007
New Member

We have a log of saved searches working simultaneously in our search head. Around 70% of which are resulting status= Continued.

What does it mean, does it affect the alerts that we have created, does it mean they were not able to finish properly and hence the alerts are not getting triggered properly.
thanks

0 Karma

sbhale
Explorer

status=Continued means that splunk was unable to run your search as scheduled, But it will catch up and run it for the time period it was supposed to run.
For example your search looking at data from 00:15 - 00:30 was supposed to run at 00:30. But it got the above status.
What splunk will do is run the search for the timeframe 00:15-00:30 at say 00:40. So the results will(mostly) be the same. I say mostly because you can have data show up later and the results may differ because of that.
Splunk will choose to continue searches that are meant to fill summary data etc which can be more flexible than say alerts.

0 Karma

somesoni2
Revered Legend
0 Karma
Get Updates on the Splunk Community!

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...