×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
bhooker_axcient
Engager
Member since: ‎02-10-2021
‎08-21-2023
Community Statistics
Posts 3
Solutions 0
Karma Given 4
Karma Received 1
Member Since ‎02-10-2021
Activity Feed
View All

Re: Why does loadjob savedsearch return artifacts ...

by in Dashboards & Visualizations
‎06-15-2023 03:22 PM
‎06-15-2023 03:22 PM
On the dashboard, there were too many calls to loadjob with the savedsearch parameter.  I found that if a user loaded that page while the saved search had a job in progress, the job would fail.    I corrected the problem by instead making the call once in the dashboard: <search id="cached_results">   <query>| loadjob savedsearch="my_job_name"</query>   <done>   <set token="tok_cached_result">$job.sid$</set>   </done> </search> Then I can load those results each time I needed to reference them: <search> <query>| loadjob "$tok_cached_result$"</query> ... </search> I hope this helps someone! ... View more

Why does loadjob savedsearch return artifacts from...

by in Dashboards & Visualizations
‎06-13-2023 03:17 PM
1 Karma
‎06-13-2023 03:17 PM
1 Karma
I have a dashboard which loads the results of a saved search to speed up the load times. The saved search is scheduled to run frequently, and keeps results from the past 7 or 8 searches in it's history. Often times, the dashboard gets 0 results back from the loadjob command, and when I check the latest jobs, the most recent job status will be failed.  To fix it, I just manually delete the failed job and let it roll back to the previous Done job. Documentation for loadjob has an ignore_running option, but I am not seeing a way to ignore failed jobs, which would be nice. ** As an aside, I have noticed that I can make the saved search fail if I repeatedly call loadjob from a search (hit search 7 or 8 times without letting it finish) while the job is running.  I suspect that something like this is happening due to dashboard loads while this job is running which causes the failed job. ... View more
Labels

Delete events from a query with a command that is ...

by in Splunk Search
‎08-12-2021 04:45 PM
‎08-12-2021 04:45 PM
We have a Splunk instance that keeps copies of Jira tickets which have changed over time.  Anytime there is a change to a ticket, we journal most of the JSON object into Splunk as an event.  Our index is getting large, and I think that it is affecting performance (nearly 1,000,000 events and 1 GB).  For each ticket id, I want to delete all but 1 event that is older than 6 months (keep the youngest event that is > 6 mon old).     index=jira latest=-6mon | dedup key (Gets the list of keys with events that can be deleted)   For each key, delete all but one of the events > 6mon (e.g. KEY-75)   index=jira latest=-6mon key = "KEY-75" | streamstats count as result | where result > 1 | delete  Error in 'delete' command: This command cannot be invoked after the command 'simpleresultcombiner', which is not distributable streaming. The search job has failed due to an error. You may be able view the job in the Job Inspector. index=jira latest=-6mon key = "KEY-75" | sort - _time | streamstats count as result | where result > 1 | delete Error in 'delete' command: This command cannot be invoked after the command 'sort', which is not distributable streaming. The search job has failed due to an error. You may be able view the job in the Job Inspector. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-21-2023 09:49 PM
Karma from
View All
Karma given to