I've recently installed the Fire Brigade app on a new single-instance Splunk, running version 5. The saved searches didn't fire overnight, and I'm wondering why. I went into the Manager > Searches and Reports, and saw that the "scheduled time" field for the searches were all blank. Thinking that this must have been an installation snafu, I clicked on the search to enable a schedule. What I found was that it was already showing as scheduled, with the correct time. Despite this, it hadn't run.
Any hints?
The issue was observed in 5.0. Since upgrading the system to 5.0.4, the app's searches show as scheduled, and everything seems OK.
The issue was observed in 5.0. Since upgrading the system to 5.0.4, the app's searches show as scheduled, and everything seems OK.
You could at least upvote my comments 🙂
Upgrading to 5.0.4 has ... vanished the problem.
If this is occurring in the latest version (5.0.4), please file a support case and/or a bug.
Schedule is correct, search is not disabled.
It looks like the REST API is disagreeing with the manager.
I would look at the scheduling-specific properties of the saved search object in the REST API.