Dashboards & Visualizations

How to display the last results from a scheduled saved search on a dashboard, not the job currently running?

burwell
SplunkTrust
SplunkTrust

I want to have a dashboard show the results of a saved search. My saved search is scheduled every hour and can easily take more than 30 minutes to run.

I would like a user viewing the dashboard to see the last completed saved search. If a saved search is running when they view the dashboard I don't want them to see the partial job that is currently running. I want them to see the last completed job.

Is this possible?

1 Solution

woodcock
Esteemed Legend

Like this:

| loadjob savedsearch="MyUser:MyApp:MySavedSearch" artifact_offset=0

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob

View solution in original post

jbrinkman
Explorer

If your search is looking strictly for events be sure to add events=true to the end. It defaults to false. Noticed that my search was completing within Activity->Jobs but was returning no events to my dashboard compared to if I ran the search on its own outside the dashboard. Using events=true fixes that issue.

| loadjob savedsearch="MyUser:MyApp:MySavedSearch" artifact_offset=0 events=true
0 Karma

woodcock
Esteemed Legend

Like this:

| loadjob savedsearch="MyUser:MyApp:MySavedSearch" artifact_offset=0

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob

View solution in original post

jlr
New Member

The docs linked say that artifact_offset defaults to 0, which says to me that this shouldn't change any behaviour. Is this a change in behaviour between this post and now, or is the documentation would and the default state differs to an explicit artifact_offset=0?

0 Karma

burwell
SplunkTrust
SplunkTrust

Aha! Yes this is the correct answer. This is the solution I have been searching for. You need to do the loadjob otherwise when the next job runs your dashboard would only show partial results of the current job. When you have long running jobs you notice this.

Note: the documentation has a typo that I have just reported to Splunk. The parameter is artifact_offset=0. (On the web page there is both artifact-offset AND artifact_offset. The underscore parameter seems correct.)

0 Karma

llee_splunk
Splunk Employee
Splunk Employee

When a dashboard is built on a scheduled search (as in your case), the dashboard will display the most recent search results rather than partial results from a running job.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!