Reporting

How to get saved search's last successful run time

angelinealex
Communicator
-----
-----
------
| fields totalrec, mydate
| search index=_internal savedsearch_name="anothersavedsearch" status="success" 
| stats max(_time) as lastrun 
| eval lastsearchdate = if(totalrec>0,strftime(lastrun,"%Y-%m-%d"),mydate) 
| table lastsearchdate 

My requirement is, if the totalrec is greater than zero, then save lastsearchdate as saved search's last successful runtime, else store mydate to lastsearchdate.

But i am getting no records when i run this saved search. Please help.

0 Karma

logloganathan
Motivator

Modify the 7th line
Eval lastsearcheddate=(strftime(lastrun,format),mydate) | where totalrec>0

It will work

0 Karma

angelinealex
Communicator

This part is not correct strftime(lastrun,format),mydate)
so it didnt work.

0 Karma

logloganathan
Motivator

eval lastsearcheddate = strftime( strptime( lastrun, "%Y-%m-%d" ), mydate)

Could you please try this command

0 Karma

p_gurav
Champion

Hi,

you can find out last run of search with below query:

index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" savedsearch_name=<scheduled-search-name> | eval lastRun=_time | 
0 Karma

angelinealex
Communicator

Thank you, but this query doesnt satisfy my requirement with respect to totalrec which i have got from previous lines in the same query.

0 Karma

p_gurav
Champion

Can you try using subsearch for getting lastrun.

angelinealex
Communicator

I tried already, but really not sure how to do it and i wasn't success

0 Karma

angelinealex
Communicator

Fixed the issue with subsearch, Thank you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...