Reporting

Scheduled searches are not being run?

606866581
Path Finder

Hi all,
I've made several searches to run at once (they run every 24 hours at 10am) but I can't seem to view the results of those searches, and the view which is using this search is NOT using any cached results - it just re-runs the search each time the view is loaded.

Is there a way to check if the searches ran (so I can tell if it's a problem with the search or view)

Thanks in advance

0 Karma
1 Solution

kristian_kolb
Ultra Champion

There is info in scheduler.log. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.

index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name

Hope this helps,

/K

View solution in original post

606866581
Path Finder

It turns out, we were just having problems with all our scheduled searches. I've just checked up on them, and they're all running fine now 🙂

0 Karma

kristian_kolb
Ultra Champion

There is info in scheduler.log. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.

index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name

Hope this helps,

/K

kristian_kolb
Ultra Champion

There is an index called _internal, trust me.

However, your user account/role may not have access to search it.

Check with your splunk administrator to go into Manager -> Access Controls -> Roles -> <your_role>, and check at bottom of the page. There are settings for which indexes you can search.

/k

0 Karma

606866581
Path Finder

I tried using that search - but no results were returned, in fact there is no '_internal' index or scheduler.log...
The frustrating thing is that this could have been the answer to all my problems 😞

Using pre-existing scheduled searches made by the admin, I managed to get these working on my dash, but the searches I've made (as a power user) don't work at all (despite the settings being totally identical)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...