The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkSearchAndAlert: Non-existent search running after upgrade

Previous Topic: splunk status dashboard  |   Next Topic: RSS Feed time issue?


Posts 1–2 of 2
1
posted by: tnine  |  posts
date: October 11, 2009
permalink

Hi all,
I recently upgraded from 4.0.2 to 4.0.4. I have a search named "Spidertracks Site Check" that I run on a 5 minute interval, and I'm alerted if the search returned results. I'm getting alerts every 5 minutes that the search has failed, yet if I click on the search, it returns no results. It's sending me a page every 5 minutes, and it's driving me absolutely insane.

I even went so far as to delete the saved search and restart Splunk. It's still running the saved search every 5 minutes! I used the following command to search all .conf files for any possibility of a duplicate search definition.

find /opt/splunk -name "*.conf" |xargs grep -l "Site Check"

I don't get any results. Where is Splunk picking up this scheduled job?

Thanks,
Todd

2
posted by: gkanapathy  |  posts
date: October 11, 2009
permalink

That's bizzare. Have you checked to see if perhaps there is an old splunkd process out there that has run away and is still rnning the old search?