Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

loadjob command not working

kaeleyt
Path Finder
‎07-09-2025 03:41 PM

I have a need to share high level metrics (via tstats) from a couple of indexes that a few of my teammates do not have access to. I have a scheduled report, let's call it ScheduledReportA, that is running that tstats command once a day in the morning.

I was planning to use the loadjob command to load the results of that report into a dashboard that my teammates can then filter on and search to get the information they need but I've noticed that the loadjob command only works some of the time for me, and otherwise will return 0 results. I know it is not my search syntax as I have used the same search and sometimes gotten results, sometimes not. Syntax for reference:
| loadjob savedsearch="kaeleyt:my_app_name:ScheduledReportA"

Some additional information to help rule things out:

  • The loadjob command search is being run in the same app that ScheduledReportA lives in
  • The report always has thousands of results, and yes I've checked this
  • ScheduledReportA is shared with the app and its users
  • dispatch.ttl is set to 2p (which I have always understood to be twice the schedule, which in this case is 24h, so 48h ttl)

I don't suspect it to be a permissions issue, or a job expiration issue based on the above but I'm wondering if I'm missing something or if anyone has run into similar issues.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎07-10-2025 03:03 AM

Hi @kaeleyt 

I wonder if the following will help work out what is going on? Can you run this to see if this shows the resultCount=0 or any other issues?

You might need to tweak:

| rest splunk_server=local /servicesNS/nobody/my_app_name/saved/searches/ScheduledReportA/history
| table updated, published, eventCount, is* id
| rex field=id "(?<uri>\/services.*)$"
| map  maxsearches=10 search="|rest $uri$ "
| table id dispatchState eventCount resultCount ttl is*

livehybrid_0-1752141743660.png

 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

kaeleyt
Path Finder
‎07-10-2025 02:49 PM

The ttl of my latest job for this report is set to expire approx 2 days (~170000+ seconds) from now. I've been using the _audit index to check the resultCount for these jobs and it has never been 0. I've also been checking the ttl via the Activity > Jobs view (2nd image in screenshot, had to take a screenshot of my two screenshots to get past the 1 attachment limitation 🙂 ).

Is it possible that having multiple saved jobs from this search alive at the same time causes an issue? I have two alive currently, one from yesterday morning and one from this morning (similar to what you're showing in the screenshot). If this is a possibility, any recommendations on how I can only have 1 report job alive/kept at any point in time?

Preview file
168 KB
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-14-2025 06:29 AM
Are you running this on SH or SHC?
Are your result set events or transformed results?
https://docs.splunk.com/Documentation/Splunk/9.4.2/SearchReference/Loadjob
0 Karma
Reply

kaeleyt
Path Finder
‎07-14-2025 07:18 AM

Running on SHC and it's transformed results.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...