Hi All,
Currently I am facing an issue with scheduled reports. The scheduled job is getting executed as per the cron job set for every two hours, but we are not seeing any events getting triggered.
On splunk --> settings--> Searches, reports, and alerts, --> saved search --> under "actions" row --> View recent --> could see 0 count under Events. When clicked on the saved search, could see No Result found. But when I ran the search, manually I am getting the result, so not sure where the problem is.
Splunk Version: 6.2.1
Scheduled saved search Details
earliest=-60m source="*dhcpd.log" Host=H* DHCPACK lease-duration OR RENEW | localop | lookup qualys_hostlist.csv NETBIOS AS Host OUTPUT LAST_SCAN_DATETIME | eval LAST_SCAN_DATETIME =if(isnull(LAST_SCAN_DATETIME ),"2000-01-01t00:00:00z", LAST_SCAN_DATETIME ) | mvexpand LAST_SCAN_DATETIME | eval LAST_SCAN_DATETIME =strptime(LAST_SCAN_DATETIME,"%Y-%m-%dT%H:%M:%SZ")|dedup Host | head 10 | stats last(LAST_SCAN_DATETIME ) as LAST_SCAN_DATETIME by Host IP | table Host IP LAST_SCAN_DATETIME | where LAST_SCAN_DATETIME < relative_time(now(),"-30d") | table Host IP LAST_SCAN_DATETIME | stats delim="+" Values(IP) AS scanning | mvcombine scanning | eval scanners="QUALYS" | eval title="Test+Assetscanning+TH" | localop | lookup qualysscanlookup title scanners scanning OUTPUT results
Time Range --> Start time and Finish time are not set
Acceleration --> Not set
Schedule and Alert --> Run on Cron Scheduled
` 0 */2 * * *` Every 2 hours, at the 0th min
Run as --> Owner
Alert Condition --> always
Alert Mode --> Once per search
Throttling --> Not set
Expiration --> set as custom time
Severity --> Medium
Alert action --> Not set for any option under this
Summary Indexing --> Not set
As said in the beginning, for the comment, we are able to get an output when we execute the search manually, but when set in scheduled search it not generating any events. Kindly guide me how/where we are having an issue.
thanks in advance.
↧