Dashboards & Visualizations

Dashboard with savedsearch need update now????

hartfoml
Motivator

I have a dashboard with scheduled searches that take a little bit of time to run. i do the work at night so that the managers can see the data in the day without running the searches. I updated the searches and want to rerun all the saved searches without changing the schedule (some are weekly schedules).

Any suggestions on how I can run the searches so that it will show up in the dashboard without changing the schedule???

JohnWright8
Path Finder

[Note: this really should be below Claw's comment to which this is responding] "Which brings me full circle. An admin can easily go in and re-run the scheduled search on demand." - somehow I missed how an admin can "easily" re-run the search. Sure it is trivial for an individual to open a report and run it individually (but the new results aren't saved for any viewers of the dashboard), we still lack an easy facility for "updating" the results of a saved search (other than waiting for it to run at it's next scheduled time).

0 Karma

Claw
Splunk Employee
Splunk Employee

So finally we are getting to the core of your question and these are the issues.

This is a scheduled report and clicking on the Refresh Button on the bottom of the screen returns the results of the saved search and does not re-execute the search.

If you click the Magnifying Glass to execute the search in the search panel and then It would have brought up the search with the same saved time as the search was last run. At this point you can select a current time period and get the updated results.

But of course every one else that looks at the saved search in the panel still gets the same old last hour or day or whatever time period.

One of the main reasons we create a scheduled report on a dashboard is so that every visitor (100? 1000?) doesn't re-execute expensive searches. Another is to publish an edited results set to obfuscate sensitive data.

Which brings me full circle. An admin can easily go in and re-run the scheduled search on demand.

0 Karma

Claw
Splunk Employee
Splunk Employee

If someone wants to take on the project to create an app which adds this functionality, this would be a good learning exercise.

0 Karma

Claw
Splunk Employee
Splunk Employee

Make sure not to miss this comment.

NOTE: To ensure that the fill_summary_index.py script only executes summary index searches at times that correspond to missing data, you must use -dedup true when you invoke it.

0 Karma

somesoni2
Revered Legend

You can try this workaround. Splunk provides a way to backfill summary index searches. What it does is that it simulate the summary index saved search execution for historical period. Though it was designed originally for summary indexing backfill, you can use this to re-run any scheduled saved search for historical period without changing the schedule of the search itself. See more information here.

http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Managesummaryindexgapsandoverlaps

0 Karma

JohnWright8
Path Finder

Thanks but this isn't worth the hassle. It's easier to just wait a day and let the reports run again. It would be nice if Splunk provided a nice simple "Re-run This" button on all reports.

0 Karma

JohnWright8
Path Finder

Same issue here... new data added since the report ran, manually opening the report updates it yet the dashboard still displays the old cached data.

Splunk Version 6.3.2

0 Karma

Claw
Splunk Employee
Splunk Employee

One way around this is to use | loadjob with the name of the saved search.

You could create an administrative panel for this to keep you users from executing it to many times.

Another way you can do this with the REST API by POSTing to the scheduled search's own dispatch endpoint @ curl -k -u admin:pass \
https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch \
-d trigger_actions=1

0 Karma

JohnWright8
Path Finder

We couldn't get "loadjob" to work. And even if it did work as the documentation states: "Loads events or results of a previously completed search job." this does not do what is desired. We want to refresh the report (run it again) not just load the old results (without having to reschedule it).

0 Karma

jspears
Communicator

I had essentially the same question recently, no answers yet. updating saved search results in advance of next run

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...