Dashboards & Visualizations

How to change the time range for a previously run saved search to filter results?

Explorer

I've been experiencing this for a while with saved searches and it looks like that once a saved search is done and you want to show the results in a dashboard, you cannot query another timerange over it.

For example, a saved search has Latest=@mon-2mon and Earliest=@d, and I'd like to use that saved search in a chart by using loadjob. I can't reduce the timerange to Latest=@mon-1mon and Earliest=@mon-1d for example. I'd get the following error:

Error in 'SearchOperator:loadjob': Cannot find artifacts within the search time range for savedsearch_ident '::'.

This happens for any timerange I want to use as filter on the results of the savedsearch original timerange... This is weird, because, why wouldn't I be able to do a time-based filter on the savedsearch's result set to limit the data I want to see, while I can do filter on fields? Doesn't make sense to me. Am I doing something wrong here?

<--- EDIT --->
For simplicity, here a simple savedsearch:

index=testindex host=testhost earliest=@mon-1 latest=@now

After the savedsearch is done, and I'm trying to Edit search of the view within the dashboard as following:

  1. | loadjob savedsearch="username:app:savedsearchname
  2. Change timerange to something different than All times- ofcourse, within the start and end time of the original query Then I get the error message above.

</--- EDIT --->

0 Karma

Splunk Employee
Splunk Employee
0 Karma

Influencer

Can you post the query for your saved search please?

0 Karma

Builder

I ran into same problem. My query is:

index=logs earliest="-7d@w0" latest="@w0" | join type=LEFT DeviceID [| loadjob savedsearch="admin:workplace:all.devices"]

Gives error about not being able to find artifacts within the search time range for savedsearch="admin:workplace:all.devices". This search runs every 24 hours so it does not have artifacts saved from the last week....

0 Karma

SplunkTrust
SplunkTrust

The loadjob is basically loading a pre-calculated/generated result. It's not running the search again, so you can't make any changes. If you can provide more details on the requirement, we may suggest some other alternatives.

Explorer

See EDIT

0 Karma