Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: loadjob Encountered an error while reading fil...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm using Splunk 6, I have an issue when I want to load a basic savedsearch with the command line below :
| loadjob savedsearch="admin:search:My saveed search"
Error:
⚠ Encountered an error while reading
file
'./var/run/splunk/dispatch/scheduler_admin_search[...]/results.csv.gz'.⚠ The search job has failed due to an
error. You may be able view the job in
the Job Inspector.
NB : This savedsearch give no result (most of the time).
I have follow the "answer" (link below) without result, the results.csv.gz file is not created :
http://answers.splunk.com/answers/101189/saved-scheduled-searches-with-no-results-encountered-an-err...
If you have any idea it could be great 🙂
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I do have very similar saved searches here, and the only solution I found till now was to add to every saved search something like:
| append [ |stats count AS info_search_marker | eval info_search_marker="1" ]
and every time you use it, need to remove that line.
| loadjob savedsearch="admin:search:MyScheduleSearch_1" | where isnull(info_search_marker)
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_2" | where isnull(info_search_marker)]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_3" | where isnull(info_search_marker)]
[...]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_X" | where isnull(info_search_marker) ]
Please let me know if you find a more elegant solution - or one that needs less coding :), as if you forget to remove that "info_search_marker" you stats might be wrong
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I do have very similar saved searches here, and the only solution I found till now was to add to every saved search something like:
| append [ |stats count AS info_search_marker | eval info_search_marker="1" ]
and every time you use it, need to remove that line.
| loadjob savedsearch="admin:search:MyScheduleSearch_1" | where isnull(info_search_marker)
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_2" | where isnull(info_search_marker)]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_3" | where isnull(info_search_marker)]
[...]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_X" | where isnull(info_search_marker) ]
Please let me know if you find a more elegant solution - or one that needs less coding :), as if you forget to remove that "info_search_marker" you stats might be wrong
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works ! In fact read too quickly the first thread I see on this matter.
Anyway it's good now.
To remove the extra line you can be more economic in using only one "| where isnull(info_search_marker)" at the end :
| loadjob savedsearch="admin:search:MyScheduleSearch_1"
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_2"]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_3"]
[...]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_X"]
| where isnull(info_search_marker)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your reply.
In my case this is a schedule saved search and it run every 10 minutes with many others...
That schedule saved search return no result (this is normal) and the problem occur when I want to "loadjob", that failed because Splunk can't find "results.csv.gz" because the job generate no result ... that seems logical.
But I can't believe that Splunk go on error because of no result that case can occur very often for many Splunker ...
There is a thing I've missed ? Or a tricks/workaround that I need to be able to run something like that :
| loadjob savedsearch="admin:search:MyScheduleSearch_1"
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_2"]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_3"]
[...]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_X"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How often this "saved search" is scheduled to run? You can only "loadjob" of scheduled saved searches, and you'll only able to get the results after the search ran at least once.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
