Dashboards & Visualizations

How to change the time range for a previously run saved search to filter results?

tmnuclear
Explorer

I've been experiencing this for a while with saved searches and it looks like that once a saved search is done and you want to show the results in a dashboard, you cannot query another timerange over it.

For example, a saved search has Latest=@mon-2mon and Earliest=@d, and I'd like to use that saved search in a chart by using loadjob. I can't reduce the timerange to Latest=@mon-1mon and Earliest=@mon-1d for example. I'd get the following error:

Error in 'SearchOperator:loadjob': Cannot find artifacts within the search time range for savedsearch_ident '::'.

This happens for any timerange I want to use as filter on the results of the savedsearch original timerange... This is weird, because, why wouldn't I be able to do a time-based filter on the savedsearch's result set to limit the data I want to see, while I can do filter on fields? Doesn't make sense to me. Am I doing something wrong here?

<--- EDIT --->
For simplicity, here a simple savedsearch:

index=testindex host=testhost earliest=@mon-1 latest=@now

After the savedsearch is done, and I'm trying to Edit search of the view within the dashboard as following:

  1. | loadjob savedsearch="username:app:savedsearchname
  2. Change timerange to something different than All times- ofcourse, within the start and end time of the original query Then I get the error message above.

</--- EDIT --->

0 Karma

jherring_splunk
Splunk Employee
Splunk Employee
0 Karma

masonmorales
Influencer

Can you post the query for your saved search please?

0 Karma

nabeel652
Builder

I ran into same problem. My query is:

index=logs earliest="-7d@w0" latest="@w0" | join type=LEFT DeviceID [| loadjob savedsearch="admin:workplace:all.devices"]

Gives error about not being able to find artifacts within the search time range for savedsearch="admin:workplace:all.devices". This search runs every 24 hours so it does not have artifacts saved from the last week....

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The loadjob is basically loading a pre-calculated/generated result. It's not running the search again, so you can't make any changes. If you can provide more details on the requirement, we may suggest some other alternatives.

tmnuclear
Explorer

See EDIT

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...