Splunk Search

loadjob Encountered an error while reading file '/opt/splunk/var/run/splunk/dispatch/scheduler[...]/results.csv.gz'

Micmac
Path Finder

Hello,

I'm using Splunk 6, I have an issue when I want to load a basic savedsearch with the command line below :

| loadjob savedsearch="admin:search:My saveed search"

Error:

⚠ Encountered an error while reading
file
'./var/run/splunk/dispatch/scheduler_admin_search[...]/results.csv.gz'.

⚠ The search job has failed due to an
error. You may be able view the job in
the Job Inspector.

NB : This savedsearch give no result (most of the time).

I have follow the "answer" (link below) without result, the results.csv.gz file is not created :
http://answers.splunk.com/answers/101189/saved-scheduled-searches-with-no-results-encountered-an-err...

If you have any idea it could be great 🙂

Thanks,

Tags (3)
1 Solution

musskopf
Builder

Hi,

I do have very similar saved searches here, and the only solution I found till now was to add to every saved search something like:

| append [ |stats count AS info_search_marker | eval info_search_marker="1" ]

and every time you use it, need to remove that line.

| loadjob savedsearch="admin:search:MyScheduleSearch_1" | where isnull(info_search_marker)
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_2" | where isnull(info_search_marker)]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_3" | where isnull(info_search_marker)]
[...]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_X" | where isnull(info_search_marker) ]

Please let me know if you find a more elegant solution - or one that needs less coding :), as if you forget to remove that "info_search_marker" you stats might be wrong

View solution in original post

musskopf
Builder

Hi,

I do have very similar saved searches here, and the only solution I found till now was to add to every saved search something like:

| append [ |stats count AS info_search_marker | eval info_search_marker="1" ]

and every time you use it, need to remove that line.

| loadjob savedsearch="admin:search:MyScheduleSearch_1" | where isnull(info_search_marker)
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_2" | where isnull(info_search_marker)]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_3" | where isnull(info_search_marker)]
[...]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_X" | where isnull(info_search_marker) ]

Please let me know if you find a more elegant solution - or one that needs less coding :), as if you forget to remove that "info_search_marker" you stats might be wrong

Micmac
Path Finder

It works ! In fact read too quickly the first thread I see on this matter.
Anyway it's good now.

To remove the extra line you can be more economic in using only one "| where isnull(info_search_marker)" at the end :

| loadjob savedsearch="admin:search:MyScheduleSearch_1"
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_2"]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_3"]
[...]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_X"]

| where isnull(info_search_marker)

0 Karma

Micmac
Path Finder

Thanks for your reply.

In my case this is a schedule saved search and it run every 10 minutes with many others...

That schedule saved search return no result (this is normal) and the problem occur when I want to "loadjob", that failed because Splunk can't find "results.csv.gz" because the job generate no result ... that seems logical.
But I can't believe that Splunk go on error because of no result that case can occur very often for many Splunker ...

There is a thing I've missed ? Or a tricks/workaround that I need to be able to run something like that :

| loadjob savedsearch="admin:search:MyScheduleSearch_1"
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_2"]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_3"]
[...]
| append [| loadjob savedsearch="admin:search:admin:search:MyScheduleSearch_X"]

musskopf
Builder

How often this "saved search" is scheduled to run? You can only "loadjob" of scheduled saved searches, and you'll only able to get the results after the search ran at least once.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...