I've been experiencing this for a while with saved searches and it looks like that once a saved search is done and you want to show the results in a dashboard, you cannot query another timerange over it.
For example, a saved search has Latest=@mon-2mon
and Earliest=@d
, and I'd like to use that saved search in a chart by using loadjob
. I can't reduce the timerange to Latest=@mon-1mon
and Earliest=@mon-1d
for example. I'd get the following error:
Error in 'SearchOperator:loadjob': Cannot find artifacts within the search time range for savedsearch_ident '::'.
This happens for any timerange I want to use as filter on the results of the savedsearch original timerange... This is weird, because, why wouldn't I be able to do a time-based filter on the savedsearch's result set to limit the data I want to see, while I can do filter on fields? Doesn't make sense to me. Am I doing something wrong here?
<--- EDIT --->
For simplicity, here a simple savedsearch:
index=testindex host=testhost earliest=@mon-1 latest=@now
After the savedsearch is done, and I'm trying to Edit search
of the view within the dashboard as following:
| loadjob savedsearch="username:app:savedsearchname
All times
- ofcourse, within the start and end time of the original query
Then I get the error message above.</--- EDIT --->
Can you post the query for your saved search please?
I ran into same problem. My query is:
index=logs earliest="-7d@w0" latest="@w0" | join type=LEFT DeviceID [| loadjob savedsearch="admin:workplace:all.devices"]
Gives error about not being able to find artifacts within the search time range for savedsearch="admin:workplace:all.devices". This search runs every 24 hours so it does not have artifacts saved from the last week....
The loadjob is basically loading a pre-calculated/generated result. It's not running the search again, so you can't make any changes. If you can provide more details on the requirement, we may suggest some other alternatives.
See EDIT