Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

scheduled searches not showing as scheduled

jstockamp
Communicator
‎06-14-2011 11:11 AM

I've got about 5 searches that I want to be scheduled so that I can include them in a dashboard. I've set them all to be scheduled using cron and set the cron schedule as "0 1 * * *" to run every morning at 1AM. This all looks correct when I'm looking at the properties of the saved search in splunk web, but when I look at the list of saved searches the "scheduled time" shows "none".

If I look at $SPLUNK_HOME/etc/apps/search/local/savedsearches.conf I see


[rpt_All_Yesterday_Hits_by_Product]
action.email.inline = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 0 1 * * *
dispatch.earliest_time = -1d@d
dispatch.latest_time = @d
displayview = report_builder_display
enableSched = 1
realtime_schedule = 0
request.ui_dispatch_view = report_builder_display
search = eventtype="evt_all"| timechart count(linecount) as Hits by product
vsid = *:goolxglv

Anyone have any ideas why splunkweb is not showing this as a scheduled search? If i look at "view recent" it's definitely not running as a scheduled search.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jstockamp
Communicator
‎06-14-2011 12:17 PM

Thanks for the tip. How would I go about removing "local.meta" permissions? Renaming the search everytime I make a change seems problematic.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jstockamp
Communicator
‎06-14-2011 12:17 PM

Thanks for the tip. How would I go about removing "local.meta" permissions? Renaming the search everytime I make a change seems problematic.

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-14-2011 12:31 PM

You don't need to rename the search, just find the search entry in the local.meta file which is in $SPLUNK_HOME/etc/apps//metadata/local.meta and remove the stanza. This may require a restart.

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-14-2011 11:32 AM

jstockamp,

I believe this is being caused by a known issue in 4.2.0/4.2.1 where a saved search loses it's schedule when edited via manager. Removing local.meta permissions for the search seems to fix the issue.

See Searches Losing Their Schedule

0 Karma
Reply
Solved! Jump to solution

hazekamp
Builder
‎06-15-2011 11:33 AM

FYI; This is resolved in 4.2.2 per release note "Scheduled saved search loses scheduled time when converted from private to global permissions (All apps). Scheduled time resets to None. (SPL-38616)"

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...