Hi all,
I've made several searches to run at once (they run every 24 hours at 10am) but I can't seem to view the results of those searches, and the view which is using this search is NOT using any cached results - it just re-runs the search each time the view is loaded.
Is there a way to check if the searches ran (so I can tell if it's a problem with the search or view)
Thanks in advance
There is info in scheduler.log
. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.
index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name
Hope this helps,
/K
It turns out, we were just having problems with all our scheduled searches. I've just checked up on them, and they're all running fine now 🙂
There is info in scheduler.log
. The example below will list the scheduled searches, along with the scheduled time, and status. Might give you an idea of what you can play with.
index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name
Hope this helps,
/K
There is an index called _internal
, trust me.
However, your user account/role may not have access to search it.
Check with your splunk administrator to go into Manager -> Access Controls -> Roles -> <your_role>
, and check at bottom of the page. There are settings for which indexes you can search.
/k
I tried using that search - but no results were returned, in fact there is no '_internal' index or scheduler.log...
The frustrating thing is that this could have been the answer to all my problems 😞
Using pre-existing scheduled searches made by the admin, I managed to get these working on my dash, but the searches I've made (as a power user) don't work at all (despite the settings being totally identical)