Hi. I used the following query to find out if a savedsearch failed or successed from the schedule:
index="_internal" source="*scheduler.log" savedsplunker
However, there are 6 different status from Splunk, "success", "delegated_remote_completion", "delegated_remote", "continued", "skipped", "delegated_remote_error" and a savedsearch has more than one status within the same time. If I want to identify if a savedsearch failed or successed only, what status or other fields or word patterns should I used? Thanks.
YOu should take the latest status based on the scheduled_time and savedsearch name (or id). like this
index=_internal sourcetype=scheduler
| stats latest(status) as status by savedsearch_id scheduled_time
This will give you appropriate status for each scheduled instances of the saved search (if you selected time range as 1 hr and your search runs every 15 mins, you will get 4 rows for each of 4 execution). If you just want to see the latest execution's status, remove scheduled_time from stats in above query.
this is what i use for saved searches/data models/accelerated searches, i just tweak the search_type
index="_internal" sourcetype="scheduler" search_type=scheduled
| eval scheduled=strftime(scheduled_time, "%Y-%m-%d %H:%M:%S")
| rex field=savedsearch_name "_ACCELERATE_DM_controlup_iop_(?<dm_node>.*)_ACCELERATE_"
| stats values(scheduled) as scheduled
values(savedsearch_name) as search_name
values(status) as status
values(reason) as reason
values(run_time) as run_time
values(dm_node) as dm_node
values(sid) as sid
by _time,savedsearch_name | sort -scheduled
| table scheduled, search_name, status, reason, run_time