Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change the time range for a previously run saved search to filter results?

tmnuclear
Explorer
‎04-21-2015 04:53 AM

I've been experiencing this for a while with saved searches and it looks like that once a saved search is done and you want to show the results in a dashboard, you cannot query another timerange over it.

For example, a saved search has Latest=@mon-2mon and Earliest=@d, and I'd like to use that saved search in a chart by using loadjob. I can't reduce the timerange to Latest=@mon-1mon and Earliest=@mon-1d for example. I'd get the following error:

Error in 'SearchOperator:loadjob': Cannot find artifacts within the search time range for savedsearch_ident '::'.

This happens for any timerange I want to use as filter on the results of the savedsearch original timerange... This is weird, because, why wouldn't I be able to do a time-based filter on the savedsearch's result set to limit the data I want to see, while I can do filter on fields? Doesn't make sense to me. Am I doing something wrong here?

<--- EDIT --->
For simplicity, here a simple savedsearch:

index=testindex host=testhost earliest=@mon-1 latest=@now

After the savedsearch is done, and I'm trying to Edit search of the view within the dashboard as following:

  1. | loadjob savedsearch="username:app:savedsearchname
  2. Change timerange to something different than All times- ofcourse, within the start and end time of the original query Then I get the error message above.

</--- EDIT --->

0 Karma
Reply

jherring_splunk
Splunk Employee
Splunk Employee
‎11-03-2017 06:54 AM

See: https://answers.splunk.com/answers/188469/how-to-get-results-to-load-with-a-time-picker-sett.html

0 Karma
Reply

masonmorales
Influencer
‎04-21-2015 02:22 PM

Can you post the query for your saved search please?

0 Karma
Reply

nabeel652
Builder
‎08-15-2016 05:47 PM

I ran into same problem. My query is:

index=logs earliest="-7d@w0" latest="@w0" | join type=LEFT DeviceID [| loadjob savedsearch="admin:workplace:all.devices"]

Gives error about not being able to find artifacts within the search time range for savedsearch="admin:workplace:all.devices". This search runs every 24 hours so it does not have artifacts saved from the last week....

0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎08-15-2016 06:03 PM

The loadjob is basically loading a pre-calculated/generated result. It's not running the search again, so you can't make any changes. If you can provide more details on the requirement, we may suggest some other alternatives.

Reply

tmnuclear
Explorer
‎04-22-2015 03:36 AM

See EDIT

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...