Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Get list of failed or skipped scheduled saved searches

gaurav_maniar
Builder
‎11-01-2019 01:54 PM

Hi All,

I'm trying to make a report of failed or skipped scheduled saved searches.
The report should include the list of scheduled saved searches which failed or skipped when,
- splunk is down due to some issues
- during the splunk retstart / maintenance
- splunk query issue

index=_internal source=*scheduler.log search_type=scheduled

only gives the list of scheduled saved searches, which were skipped but not failed

are there any configuration that can execute these saved searches when Splunk is restarted or back to normal function.

let me know if any other details are required.

Thanks.

0 Karma
Reply

landen99_gdms
Explorer
‎08-31-2023 01:13 PM

This SPL will give you the failed saved searches:

index=_audit sourcetype=audittrail TERM(action=search) (TERM(info=bad_request)) (TERM(search=*) OR TERM(savedsearch=*)) NOT (MongoModificationsTracker OR (INFO (metrics OR PeriodicHealthReporter OR LicenseUsage) OR StreamedSearch) OR TERM(info=granted) OR (TERM(info=completed) TERM(has_error_warn=false) TERM(fully_completed_search=true)) OR GET ) provenance=scheduler
| rex mode=sed field=search "s/^'//"
| rex mode=sed field=search "s/'$//"
| rex mode=sed field=search_id "s/^'//"
| rex mode=sed field=search_id "s/'$//"
| table _time app info has_error_warn mode provenance savedsearch_name search search_id src user total_run_time

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-01-2023 12:23 AM
You could also use MC to look those. Just select MC -> Search -> Scheduler and there are couple of different dashboard. Then select suitable panel and open SPL for it and modify as needed.
0 Karma
Reply

arjunpkishore5
Motivator
‎11-04-2019 04:03 AM

| rest /servicesNS/-/-/search/jobs

delegate=scheduler indicates this is a scheduled search. Null value indicates that this was an ad-hoc search

dispatchState provides you the status of the search. dispatchState=Failed gives you all the Failed searches

This will give you all the search jobs which are visible in the Jobs manager. Expired searches are removed so if you need historical data, best to run this on a cadence and save to a summary search.

Hope this helps.

Cheers

0 Karma
Reply

gaurav_maniar
Builder
‎11-06-2019 04:22 AM

The results of my query and the your query are different even for failed/skipped saved searches.

According to rest query, there are very few failed searches, but when compared manually with searches that were not executed, than they were not in the results.

0 Karma
Reply

arjunpkishore5
Motivator
‎11-06-2019 04:58 AM

Hi @gaurav_maniar

The rest endpoint only provides the most recent searches (searches whose ttl hasn't expired) and does not maintain history; requiring that this be saved to a summary index to maintain history. If the search is visible when you click on Actvity>Jobs, then these will be visible in the rest endpoint.

What time range did you run the query against the internal index for?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...