Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to change the time range for a previously run saved search to filter results?

tmnuclear
Explorer
‎04-21-2015 04:53 AM

I've been experiencing this for a while with saved searches and it looks like that once a saved search is done and you want to show the results in a dashboard, you cannot query another timerange over it.

For example, a saved search has Latest=@mon-2mon and Earliest=@d, and I'd like to use that saved search in a chart by using loadjob. I can't reduce the timerange to Latest=@mon-1mon and Earliest=@mon-1d for example. I'd get the following error:

Error in 'SearchOperator:loadjob': Cannot find artifacts within the search time range for savedsearch_ident '::'.

This happens for any timerange I want to use as filter on the results of the savedsearch original timerange... This is weird, because, why wouldn't I be able to do a time-based filter on the savedsearch's result set to limit the data I want to see, while I can do filter on fields? Doesn't make sense to me. Am I doing something wrong here?

<--- EDIT --->
For simplicity, here a simple savedsearch:

index=testindex host=testhost earliest=@mon-1 latest=@now

After the savedsearch is done, and I'm trying to Edit search of the view within the dashboard as following:

  1. | loadjob savedsearch="username:app:savedsearchname
  2. Change timerange to something different than All times- ofcourse, within the start and end time of the original query Then I get the error message above.

</--- EDIT --->

0 Karma
Reply

jherring_splunk
Splunk Employee
Splunk Employee
‎11-03-2017 06:54 AM

See: https://answers.splunk.com/answers/188469/how-to-get-results-to-load-with-a-time-picker-sett.html

0 Karma
Reply

masonmorales
Influencer
‎04-21-2015 02:22 PM

Can you post the query for your saved search please?

0 Karma
Reply

nabeel652
Builder
‎08-15-2016 05:47 PM

I ran into same problem. My query is:

index=logs earliest="-7d@w0" latest="@w0" | join type=LEFT DeviceID [| loadjob savedsearch="admin:workplace:all.devices"]

Gives error about not being able to find artifacts within the search time range for savedsearch="admin:workplace:all.devices". This search runs every 24 hours so it does not have artifacts saved from the last week....

0 Karma
Reply

somesoni2
Revered Legend
‎08-15-2016 06:03 PM

The loadjob is basically loading a pre-calculated/generated result. It's not running the search again, so you can't make any changes. If you can provide more details on the requirement, we may suggest some other alternatives.

Reply

tmnuclear
Explorer
‎04-22-2015 03:36 AM

See EDIT

0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...