×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
RookieSplunker
Engager
Member since: ‎08-20-2025
‎08-22-2025
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎08-20-2025
View All

Re: Why Isn't My Search Job Expiring? The "Zombie"...

by in Splunk Search
‎08-22-2025 09:28 AM
‎08-22-2025 09:28 AM
Yes, because this query is initiated by my SOAR playbook, so there is no manual intervention. It runs when a trigger occurs (not on a schedule) and has run successfully before. However, on the day this issue occurred, the query ran three times with varying intervals and durations. The first run completed in around 2 minutes, the second run failed after about 1.5 hours, and the final run was cancelled after approximately 8.5 hours. The size of the artifacts sent to the indexer grew significantly during the second and third executions. The expiration time was changed to 36 hours with the final run—could the 8.5-hour run, and the 36-hour expiration time be related? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-22-2025 09:24 AM
Karma given to
View All