How to get saved search's last successful run time

angelinealex · ‎03-22-2018

-----
-----
------
| fields totalrec, mydate
| search index=_internal savedsearch_name="anothersavedsearch" status="success" 
| stats max(_time) as lastrun 
| eval lastsearchdate = if(totalrec>0,strftime(lastrun,"%Y-%m-%d"),mydate) 
| table lastsearchdate

My requirement is, if the totalrec is greater than zero, then save lastsearchdate as saved search's last successful runtime, else store mydate to lastsearchdate.

But i am getting no records when i run this saved search. Please help.

logloganathan · ‎03-22-2018

Modify the 7th line
Eval lastsearcheddate=(strftime(lastrun,format),mydate) | where totalrec>0

It will work

angelinealex · ‎03-23-2018

This part is not correct strftime(lastrun,format),mydate)
so it didnt work.

logloganathan · ‎03-27-2018

eval lastsearcheddate = strftime( strptime( lastrun, "%Y-%m-%d" ), mydate)

Could you please try this command

p_gurav · ‎03-22-2018

Hi,

you can find out last run of search with below query:

index=_internal source="/opt/splunk/var/log/splunk/scheduler.log" savedsearch_name=<scheduled-search-name> | eval lastRun=_time |

angelinealex · ‎03-22-2018

Thank you, but this query doesnt satisfy my requirement with respect to totalrec which i have got from previous lines in the same query.

p_gurav · ‎03-22-2018

Can you try using subsearch for getting lastrun.

angelinealex · ‎03-23-2018

I tried already, but really not sure how to do it and i wasn't success

angelinealex · ‎03-23-2018

Fixed the issue with subsearch, Thank you.

How to get saved search's last successful run time

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms