Hello,
I have the following Saved Search configured to run daily on a cron schedule, the scheduled job appears to be running on time as expected but the search doesn't save any events to the Summary Index.
Saved Search:
index=index host=hosts sourcetype=sourcetype source=somelogfile.log
| addinfo
| eval _time = info_max_time
| rename xheaders.X-NOTIFICATION-TYPE to "Notification Type"
| sistats count by "Notification Type", reportField
| sort - psrsvd_gc
| collect spool=t uselb=t addtime=f index="summary" name="name" marker="report="name"
If I take out the collect clause and change sistats to stats, the query does return results. I know my account has permissions to write to the summary index.
In the same environment I do have one job running and saving to the summary index as expected, the only difference I can see is that the working one has "nobody" as the owner and the ones that are not functional have my username as the owner.
Also, something that is strange is that the same configuration works in our Pre-Production environment. The only real difference is that in Production our Splunk Administrators use the Deployer role to push the Saved Search configuration.
Has anybody else ran into this type of issue? Or know what I may have miss configured?
Regards,
Cory
... View more