Hi guys,
I have an issue with a saved (and scheduled) search with no result.
If I schedule a search that returns no results and I try to get it with the command
| laodjob savedsearch="admin:app:label"
Splunk returns following error:
Encountered an error while reading file '$splunk_home$/var/run/splunk/dispatch/ .... /results.csv.gz'.
If I try to change the time window where the search works (to "force" it to find some results), it works great.
How can I be sure that Splunk creates the .cvs.gz file in any case even if the search does find no results? I can not dispatch a dashboard that returns a bad error like this!
thanks 🙂
Add an extra line to the end of your scheduled search then 'something' will always be written regardless of the number of results obtained.
| append [|stats count |eval count="complete"| rename count as "info_search_marker" ]
You'll then need to just get rid of this line when you retrieve the results later.
| fields - info_search_marker
Please try to add "events=true" as an argument of the loadjob command. Splunk will not return such error even when no events returned for the savedsearch
I just tried to upload my screen shot, but too bad that my karma is <60 so that I couldn't upload.
When I issued this search command in the Splunk search bar
|loadjob events=true savedSearch="admin:xxx:yyy", I got "No results found." as a normal search without any events returned. However, when I issued |loadjob savedSearch="admin:xxx:yyy", I got "Encountered an error while reading file '/aaa/var/run/splunk/dispatch/scheduler__admin_bbb_at_1405558800_3192/results.csv.gz'."
In my case, this "events=true" works in both the search view and a dashboard panel
Just tried now and it didn't work. Created a saved search with no results, still showing:
Encountered an error while reading file '/xxxx/splunk/dispatch/scheduler_admin_dxxxxjcmVlbg_RMD5edaa75325ad60f36_at_140999940_5127/results.csv.gz'.
thanks, I'll try asap!
Add an extra line to the end of your scheduled search then 'something' will always be written regardless of the number of results obtained.
| append [|stats count |eval count="complete"| rename count as "info_search_marker" ]
You'll then need to just get rid of this line when you retrieve the results later.
| fields - info_search_marker
I was having similar issue here, Splunk doesn't create the result file, if nothing is returned... It's a shame as only adds coding overhead on something should be straight-forward. Anyway, thanks for the tip!
thanks A LOT! It works like a charm!
Then, you confirm that is a known issue that Splunk doesn't create a results.csv.gz file if the scheduled search returns no results?
thanks again!