All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard - Access the results of the last + previous iterations of scheduled search (records saved for x hours)

Bennebo
Engager
‎01-04-2013 11:47 AM

I have a dashboard which represents the data of a scheduled search in a table (useHistory=auto or true). This allows the results to be immediately accessible to the user when opening the dashboard. As defined, the dashboard represents the records of the last iteration of the search

The saved search is scheduled to run every 4hours, and I am keeping the records for 24hours. So when clicking "view recent", I can thus see 6 instances of the search and for each of them the results saved and thus readily available and accessible.

I would like to make the last AND the 5 previous instances of the search available to the dashboard, and selectable through for example a drop-down box (after selection, the results are shown in the table). Is this possible? Either out of the box or through sideviews.

(The reason why I opt for a search every 4hours and not one every 24hours is because I auto-email the results out as part of the search, and I want the dashboard to reflect the same behaviour.)

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-11-2013 10:51 PM

I think Yann's advice is good - to look into using summary indexing instead.

However, to answer the question you're asking, yes this is possible. Here's a simple example. I just use the rest command to get the current search jobs, I filter those resuls to get just the scheduled search results for the particular savedsearch I'm interested in (in this case "Top Processes by CPU", then I render those into a Pulldown module as it's options, using the earliestTime property as the label. Then when the user picks a job from the Pulldown, I just use the loadjob command to load the results from that specific scheduled job. If you wanted to you could configure the scheduled search to save more than just the 2 most recent scheduled runs. And of course you could do something more compelling than just dumping the results out to a Table like I have here. 😃 

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">| rest /services/search/jobs | search delegate="scheduler" label="Top Processes by CPU" | fields - remoteSearch performance.* | sort - earliestTime | table earliestTime sid </param>

  <module name="Pulldown">
    <param name="name">sid</param>
    <param name="label">Scheduled Results From:</param>
    <param name="valueField">sid</param>
    <param name="labelField">earliestTime</param>
    <param name="staticOptions"></param>

    <module name="Search">
      <param name="search">| loadjob $sid$</param>

      <module name="Pager">
        <module name="Table"></module>
      </module>
    </module>
  </module>
</module>

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-11-2013 10:51 PM

I think Yann's advice is good - to look into using summary indexing instead.

However, to answer the question you're asking, yes this is possible. Here's a simple example. I just use the rest command to get the current search jobs, I filter those resuls to get just the scheduled search results for the particular savedsearch I'm interested in (in this case "Top Processes by CPU", then I render those into a Pulldown module as it's options, using the earliestTime property as the label. Then when the user picks a job from the Pulldown, I just use the loadjob command to load the results from that specific scheduled job. If you wanted to you could configure the scheduled search to save more than just the 2 most recent scheduled runs. And of course you could do something more compelling than just dumping the results out to a Table like I have here. 😃 

<module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
  <param name="search">| rest /services/search/jobs | search delegate="scheduler" label="Top Processes by CPU" | fields - remoteSearch performance.* | sort - earliestTime | table earliestTime sid </param>

  <module name="Pulldown">
    <param name="name">sid</param>
    <param name="label">Scheduled Results From:</param>
    <param name="valueField">sid</param>
    <param name="labelField">earliestTime</param>
    <param name="staticOptions"></param>

    <module name="Search">
      <param name="search">| loadjob $sid$</param>

      <module name="Pager">
        <module name="Table"></module>
      </module>
    </module>
  </module>
</module>
0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-04-2013 01:46 PM

For such use cases , you should use the summary indexing to keep all your results and display them as you need.

FYI by default the last 2 iterrations of a scheduled search are kept in the dispatch folder by default.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...