I want to have a dashboard show the results of a saved search. My saved search is scheduled every hour and can easily take more than 30 minutes to run.
I would like a user viewing the dashboard to see the last completed saved search. If a saved search is running when they view the dashboard I don't want them to see the partial job that is currently running. I want them to see the last completed job.
Is this possible?
If your search is looking strictly for events be sure to add
events=true to the end. It defaults to
false. Noticed that my search was completing within Activity->Jobs but was returning no events to my dashboard compared to if I ran the search on its own outside the dashboard. Using
events=true fixes that issue.
| loadjob savedsearch="MyUser:MyApp:MySavedSearch" artifact_offset=0 events=true
The docs linked say that
artifact_offset defaults to 0, which says to me that this shouldn't change any behaviour. Is this a change in behaviour between this post and now, or is the documentation would and the default state differs to an explicit
Aha! Yes this is the correct answer. This is the solution I have been searching for. You need to do the loadjob otherwise when the next job runs your dashboard would only show partial results of the current job. When you have long running jobs you notice this.
Note: the documentation has a typo that I have just reported to Splunk. The parameter is artifact_offset=0. (On the web page there is both artifact-offset AND artifact_offset. The underscore parameter seems correct.)
When a dashboard is built on a scheduled search (as in your case), the dashboard will display the most recent search results rather than partial results from a running job.