Solved: "Failed to get list of scheduled times…" error whe...

andrewdotnich · ‎11-15-2010

I have some searches that I've scheduled to populate a summary index, but I want to get historical info from them as well so I attempted to backfill the index using the fill_summary_index.py script.

However, when I tried this, I get the following error output:

[root@ bin]# ./splunk cmd python fill_summary_index.py
Please enter the app that contains the search(es): search
Please enter the name of saved search #1 (empty value to stop entering): zzz - DO NOT RUN - DataTable Top Ten Summary Index Search
Please enter the name of saved search #2 (empty value to stop entering): 
Please enter your splunk username: andrewn
Please enter your splunk password: 
Please enter the earliest time (UTC or relative): -6w@w
Please enter the latest time (UTC or relative): -w

*** For saved search 'zzz - DO NOT RUN - DataTable Top Ten Summary Index Search' ***
Failed to get list of scheduled times for saved search 'zzz - DO NOT RUN - DataTable Top Ten Summary Index Search' (app = 'search', error = '[HTTP 404] https://127.0.0.1:8089/servicesNS/nobody/search/saved/searches/zzz%20-%20DO%20NOT%20RUN%20-%20DataTa...; None' 

No searches to run

I've confirmed that the owner of the search is nobody, and I've tried running it with -dedup set and unset, and nothing seems to be working. Why am I getting this error?

Other info:

The report is scheduled to run every week, and hasn't run yet - does it have to have already had a scheduled run for the script to work?
Digging into the Python script and adding some debug, I see that the Exception that is getting thrown is a splunk.ResourceNotFound Exception - does this help shed some light?

andrewdotnich · ‎11-17-2010

I found that the reason I was getting this issue was one of data sync (I think) - I went into my savedsearches.conf and couldn't find the report, even though it was listed (with full search info, mind) in the Manager UI. Deleting and re-inserting the search via the manager resolved the issue and my backfill worked fine…

View solution in original post

the_wolverine · ‎10-05-2012

I encounter this when I forget to "share" my summary search to the search app. I don't have to specifically assign privs to any role but the search app needs access. 2 clicks in UI will fix it.

andrewdotnich · ‎11-17-2010

I found that the reason I was getting this issue was one of data sync (I think) - I went into my savedsearches.conf and couldn't find the report, even though it was listed (with full search info, mind) in the Manager UI. Deleting and re-inserting the search via the manager resolved the issue and my backfill worked fine…

andrewdotnich · ‎11-18-2010

that was the main file I was looking in, yes…

hulahoop · ‎11-17-2010

So your saved/scheduled search was not found in any savedsearches.conf, even the one in $SPLUNK_HOME/etc/users/yourusername?

hulahoop · ‎11-16-2010

Hi Andrew, I have seen this error when the -owner flag is not specified. What happens when you add the -owner flag?

andrewdotnich · ‎11-17-2010

The UI manager claimed that it was both saved and scheduled - I've since discovered the problem, see my answer for info. Thanks for your help, though!

hulahoop · ‎11-17-2010

Have you scheduled the search or is it simply saved?

andrewdotnich · ‎11-16-2010

Hi hulahoop,

I've tried specifying nobody (what the manager reports as the owner), and I still get the same result 😞

"Failed to get list of scheduled times…" error when using fill_summary_index.py

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life