Does anyone know how to track a summary index job using the sid from the scheduler.log down to the actual stash batchreader file deletion event in splunkd.log?
Example:
Scheduler.log
01-29-2014 05:09:26.663 +1100 INFO SavedSplunker - savedsearch_id="blah", user="nobody", savedsearch_name="Summary - TEST01", status=success, digest_mode=1, scheduled_time=1390932180, dispatch_time=1390932562, run_time=4.199, result_count=48, alert_actions="summary_index", sid="scheduler__nobody_U3BsdW5rRm9yTWVkaWFfanM__RMD5bb13b293ff218622_at_1390932180_344", suppressed=0, thread_id="AlertNotifierWorker-0"
splunkd.log
01-29-2014 07:36:47.352 +1100 INFO BatchReader - Removed from queue file='/opt/splunk/var/spool/splunk/RMD5627801de57bc32a7_1672617966.stash_new'.
I thought it would have been a simple matter of rexing the same “RMD” value out and matching on that but it appears that they aren’t related as I can’t find any of the scheduler ones in splunkd.
Basically I’m trying to confirm that the stash file was created for that job.