Reporting

Scheduled searches are not being run?

606866581
Path Finder

Hi all,
I've made several searches to run at once (they run every 24 hours at 10am) but I can't seem to view the results of those searches, and the view which is using this search is NOT using any cached results - it just re-runs the search each time the view is loaded.

Is there a way to check if the searches ran (so I can tell if it's a problem with the search or view)

Thanks in advance

0 Karma
1 Solution

kristian_kolb
Ultra Champion

There is info in scheduler.log. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.

index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name

Hope this helps,

/K

View solution in original post

606866581
Path Finder

It turns out, we were just having problems with all our scheduled searches. I've just checked up on them, and they're all running fine now 🙂

0 Karma

kristian_kolb
Ultra Champion

There is info in scheduler.log. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.

index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name

Hope this helps,

/K

kristian_kolb
Ultra Champion

There is an index called _internal, trust me.

However, your user account/role may not have access to search it.

Check with your splunk administrator to go into Manager -> Access Controls -> Roles -> <your_role>, and check at bottom of the page. There are settings for which indexes you can search.

/k

0 Karma

606866581
Path Finder

I tried using that search - but no results were returned, in fact there is no '_internal' index or scheduler.log...
The frustrating thing is that this could have been the answer to all my problems 😞

Using pre-existing scheduled searches made by the admin, I managed to get these working on my dash, but the searches I've made (as a power user) don't work at all (despite the settings being totally identical)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...