All Apps and Add-ons

Dashboard - Access the results of the last + previous iterations of scheduled search (records saved for x hours)

Bennebo
Engager

I have a dashboard which represents the data of a scheduled search in a table (useHistory=auto or true). This allows the results to be immediately accessible to the user when opening the dashboard. As defined, the dashboard represents the records of the last iteration of the search

The saved search is scheduled to run every 4hours, and I am keeping the records for 24hours. So when clicking "view recent", I can thus see 6 instances of the search and for each of them the results saved and thus readily available and accessible.

I would like to make the last AND the 5 previous instances of the search available to the dashboard, and selectable through for example a drop-down box (after selection, the results are shown in the table). Is this possible? Either out of the box or through sideviews.

(The reason why I opt for a search every 4hours and not one every 24hours is because I auto-email the results out as part of the search, and I want the dashboard to reflect the same behaviour.)

1 Solution

sideview
SplunkTrust
SplunkTrust

I think Yann's advice is good - to look into using summary indexing instead.

However, to answer the question you're asking, yes this is possible. Here's a simple example. I just use the rest command to get the current search jobs, I filter those resuls to get just the scheduled search results for the particular savedsearch I'm interested in (in this case "Top Processes by CPU", then I render those into a Pulldown module as it's options, using the earliestTime property as the label. Then when the user picks a job from the Pulldown, I just use the loadjob command to load the results from that specific scheduled job. If you wanted to you could configure the scheduled search to save more than just the 2 most recent scheduled runs. And of course you could do something more compelling than just dumping the results out to a Table like I have here. 😃

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">| rest /services/search/jobs | search delegate="scheduler" label="Top Processes by CPU" | fields - remoteSearch performance.* | sort - earliestTime | table earliestTime sid </param>

  <module name="Pulldown">
    <param name="name">sid</param>
    <param name="label">Scheduled Results From:</param>
    <param name="valueField">sid</param>
    <param name="labelField">earliestTime</param>
    <param name="staticOptions"></param>

    <module name="Search">
      <param name="search">| loadjob $sid$</param>

      <module name="Pager">
        <module name="Table"></module>
      </module>
    </module>
  </module>
</module>

View solution in original post

0 Karma

sideview
SplunkTrust
SplunkTrust

I think Yann's advice is good - to look into using summary indexing instead.

However, to answer the question you're asking, yes this is possible. Here's a simple example. I just use the rest command to get the current search jobs, I filter those resuls to get just the scheduled search results for the particular savedsearch I'm interested in (in this case "Top Processes by CPU", then I render those into a Pulldown module as it's options, using the earliestTime property as the label. Then when the user picks a job from the Pulldown, I just use the loadjob command to load the results from that specific scheduled job. If you wanted to you could configure the scheduled search to save more than just the 2 most recent scheduled runs. And of course you could do something more compelling than just dumping the results out to a Table like I have here. 😃

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">| rest /services/search/jobs | search delegate="scheduler" label="Top Processes by CPU" | fields - remoteSearch performance.* | sort - earliestTime | table earliestTime sid </param>

  <module name="Pulldown">
    <param name="name">sid</param>
    <param name="label">Scheduled Results From:</param>
    <param name="valueField">sid</param>
    <param name="labelField">earliestTime</param>
    <param name="staticOptions"></param>

    <module name="Search">
      <param name="search">| loadjob $sid$</param>

      <module name="Pager">
        <module name="Table"></module>
      </module>
    </module>
  </module>
</module>
0 Karma

yannK
Splunk Employee
Splunk Employee

For such use cases , you should use the summary indexing to keep all your results and display them as you need.

FYI by default the last 2 iterrations of a scheduled search are kept in the dispatch folder by default.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...