Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fetch scheduled time and dispatched time of saved search?

Taruchit
Contributor
‎06-12-2023 12:52 PM

Hello All,

How do I find scheduled time and dispatch time of each saved search and alert?

The goal is to fetch the two timestamps and then find the magnitude of delay, if any. 

I tried to use the below but I get the cron schedule and not the timestamp, even though while defining cron was not used.

|rest /servicesNS/-/-/saved/searches
|search is_scheduled=1

Thus, I need your help and suggestions to build the same.

Thank you
Taruchit

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

verbal_666
Builder
‎06-13-2023 12:16 AM

You can try to launch a search like this,

 

index=_internal sourcetype=scheduler savedsearch_name="**" | where scheduled_time<dispatch_time
| eval Scheduled_Time=strftime(scheduled_time,"%F %T"),Dispath_Time=strftime(dispatch_time,"%F %T"),Time_Diff=strftime(dispatch_time-scheduled_time,"%M:%S") | where ! isnull(Time_Diff)
| table _time host app savedsearch_name Scheduled_Time Dispath_Time Time_Diff | sort - Time_Diff

View solution in original post

Reply
Solved! Jump to solution
Solution

verbal_666
Builder
‎06-13-2023 12:16 AM

You can try to launch a search like this,

 

index=_internal sourcetype=scheduler savedsearch_name="**" | where scheduled_time<dispatch_time
| eval Scheduled_Time=strftime(scheduled_time,"%F %T"),Dispath_Time=strftime(dispatch_time,"%F %T"),Time_Diff=strftime(dispatch_time-scheduled_time,"%M:%S") | where ! isnull(Time_Diff)
| table _time host app savedsearch_name Scheduled_Time Dispath_Time Time_Diff | sort - Time_Diff
Reply
Solved! Jump to solution

Taruchit
Contributor
‎06-13-2023 03:15 AM

Hi @verbal_666,

Thank you very much for your prompt help.

Taruchit

Reply
Solved! Jump to solution

Taruchit
Contributor
‎06-13-2023 10:11 AM

Hi @verbal_666,

Do you have any documentation which shares about how data in dispatch_time is field is recorded in the backend by Splunk? If yes, it would be great if you could share it.

Thank you

0 Karma
Reply
Solved! Jump to solution

verbal_666
Builder
‎06-13-2023 10:01 PM

Sorry, no.
I found those fields reading the log of Splunk itsself time ago, when i got problems with high time dispatching, and did some seaches with them.
The best thing, IMO, is reading all the Splunk logs with attention, there is some data very useful.
Or you can use the DMC and read the dashboards, where you can find also many interesting things.

0 Karma
Reply
Solved! Jump to solution

Taruchit
Contributor
‎06-13-2023 10:13 PM

Thank you sir.

0 Karma
Reply
Solved! Jump to solution

Taruchit
Contributor
‎06-12-2023 12:54 PM

I had previously fetched a thread by @verbal_666 where he stated the problem of delays by comparing scheduled time and dispatched time and then approach to solve it.

Link to thread: https://community.splunk.com/t5/Splunk-Search/Scheduler-high-delay-in-dispatching/m-p/495213

However, in my query I am a step prior, where I need help to fetch details of scheduled search and dispatch search for each saved search.

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...