system-scheduled-queries
Retrieves the configuration and execution status of scheduled queries registered in the system.
Command properties
| Property | Description |
|---|---|
| Command type | Driver query |
| Required permission | Cluster administrator |
| License usage | Not counted |
| Parallel execution | Not supported |
| Distributed execution | Not supported |
Syntax
Output fields
| Field | Type | Description |
|---|---|---|
| type | string | Item type. Always query |
| guid | string | Unique identifier (UUID) of the scheduled query |
| name | string | Scheduled query name |
| schedule | string | Cron expression representing the execution schedule |
| running | boolean | Whether currently running. true if running |
| enabled | boolean | Whether enabled. true if enabled |
| bootstrap | boolean | Whether this is a bootstrap query. true if it runs once automatically at server startup |
| bootstrap_time | timestamp | Time the bootstrap query completed. Null if bootstrap is false |
| bootstrap_error | string | Error message if the bootstrap query failed. Null if successful or if bootstrap is false |
| save_result | boolean | Whether the execution result is saved. true if saved |
| owner | string | Name of the account that created the scheduled query |
| description | string | Scheduled query description |
| query_string | string | Query string to execute |
| alert_query | string | Alert condition query string. Null if not configured |
| suppress_interval | long | Alert suppression interval (unit: seconds). Duplicate alerts within this interval are suppressed. |
| skip_while_running | boolean | Whether to skip the scheduled run if a previous execution is still in progress |
| mail_to | string | Alert email recipient address. Null if not configured |
| mail_subject | string | Alert email subject. Null if not configured |
| created_at | timestamp | Creation timestamp |
| metadata | object | Runtime metadata (such as bootstrap execution results) |
Error codes
Parsing errors
| Error code | Message | Description |
|---|---|---|
| 95020 | no-read-permission | The user does not have cluster administrator permission |
Runtime errors
N/A
Description
The system-scheduled-queries command retrieves the configuration and execution status of scheduled queries registered in the system. You can check the name, cron schedule, running status, bootstrap settings, and alert conditions for each scheduled query.
Queries with bootstrap set to true run automatically once at server startup. Use bootstrap_time and bootstrap_error to check the result of bootstrap execution.
Cluster administrator permission is required to run this command.
Examples
-
Retrieve all scheduled queries
system-scheduled-queriesRetrieves the configuration and status of all scheduled queries registered in the system.
-
Retrieve scheduled queries that are currently running
system-scheduled-queries | search running == true | fields name, schedule, owner, query_stringFilters and retrieves only scheduled queries that are currently running.
-
Retrieve disabled scheduled queries
system-scheduled-queries | search enabled == false | fields name, schedule, ownerFilters and retrieves only scheduled queries that are in a disabled state.
-
Retrieve scheduled queries with bootstrap failures
system-scheduled-queries | search bootstrap == true and isnotnull(bootstrap_error) | fields name, bootstrap_time, bootstrap_errorRetrieves scheduled queries whose bootstrap execution failed.