Hi,
I'm running Splunk 5.0.5 and I'm looking for a way to retrieve the date of the last execution of a scheduled search, because I want to print that date on a dashboard, writing something like "last update: xxxx".
I know that I can see that date from the manager panel, but I'm looking for a way to insert it into a dashboard 🙂
thanks
Perhaps something like this?
index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" savedsearch_name=<scheduled-search-name> | eval lastRun=_time |
On splunk 7.1.2 doesn't work, can anyone check it?
On 7.2, one way..
index=_internal sourcetype=scheduler savedsearch_name="Bucket Copy Trigger"
| stats latest(_time) as late_time
| eval late_time_str = strftime(late_time,"%c")
Doesn't work already when i write index=_internal sourcetype=scheduler
My splunk enterprise upgraded to 7.3.0
How sourcetype i have only these:
dbx*
splunkd
Aahh.. sure.. Any base search will work as long as you have events in it. So try..
index=_internal sourcetype=splunkd
| stats latest(_time) as late_time
| eval late_time_str = strftime(late_time,"%c")
I don't know about 7.3.0.. haven't get there yet, but I imagine it will work.
This returns the latest time in a set of records. If you're specifically looking for the last run of a saved search you'll have to get access to index=_internal sourcetype=scheduler. It's possible that your user has been excluded from that data.
I tried with admin and i have same result so i can't filter sourcetype by scheduler.
Perhaps something like this?
index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" savedsearch_name=<scheduled-search-name> | eval lastRun=_time |
thanks richgalloway, I started from your hint and I resolve with:
index=_internal savedsearch_id="user;apps;label" | stats max(_time) AS lastRun | convert ctime(lastRun)
thanks again 🙂