Dashboards & Visualizations

Non-admin user needs savedsearch job date in dashboard

SplunkTrust
SplunkTrust

I have non Admin users with dashboards. The base search uses a loadjob of a job that is scheduled each day to look at a day's worth of events. Other searches in the dashboard use the loadjob command. This all works well.

The scheduled job takes a long time to run and sometimes the scheduled job fails. We change the job TTL to keep the results for 3 days to keep the results.

The user wants to see the date that the scheduled job loadjob command is using. The user isn't an admin so does NOT have access to the _audit index. Is there any way for a non admin to display the job date of the latest saved search to display in a dashboard? The user wants to know which day the job results are for.

FYI

if they did they could do something like

index=_audit savedsearch_name="MySearch"  info=completed result_count>0
| eval job_start_time=strftime(exec_time,"%Y-%m-%d %H:%M:%S") 
Tags (2)
0 Karma
1 Solution

Path Finder

Your user may be able to get the data from a rest call, especially in a dashboard if they can already see the job results.

Just use the format below as a search.

| rest splunk_server=local /servicesNS/admin/search/saved/searches/{search name url encoded}/history

This should provide them with all the details, you'll want to look at the Published time field, and of course look for the most recent job to completed. isDone versus isFinalized

https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D...

View solution in original post

0 Karma

Esteemed Legend

You can derive the runtime of any SID from the details of the SID's name. For example, I had a scheduled search with a SID of scheduler__nobody__AntiHack__RMD51be464d6e9cd1a2a_at_1576394280_17. In this case, the next-to-last segment of 1576394280 is the time that the search was run, which translates to 2019-12-15 01:18:00.

0 Karma

SplunkTrust
SplunkTrust

Thanks @woodcock so what would the search be for a non admin to get that sid with Unix date?

Esteemed Legend

Add | addinfo | rename info_sid AS _SID | fields - info_* to every search. Then you can just do |savedsearch ... | rename _SID AS SID and go from there.

0 Karma

SplunkTrust
SplunkTrust

Thanks. I was looking for a solution that didn't involve updating each savedsearch. This is a technique I will test.

0 Karma

Path Finder

Your user may be able to get the data from a rest call, especially in a dashboard if they can already see the job results.

Just use the format below as a search.

| rest splunk_server=local /servicesNS/admin/search/saved/searches/{search name url encoded}/history

This should provide them with all the details, you'll want to look at the Published time field, and of course look for the most recent job to completed. isDone versus isFinalized

https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTsearch#saved.2Fsearches.2F.7Bname.7D...

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Thanks! I modified this search to avoid the error about not being able to access the REST call per https://answers.splunk.com/answers/712773/error-on-overview-pane-failed-to-fetch-rest-endpoi.html

 | rest splunk_server=local /services/saved/searches/mysearch/history 
|  search isDone=1
| stats max(published) as search_date
| eval search_date=strftime(strptime(search_date,"%Y-%m-%dT%H:%M:%S"),"%Y-%m-%d %H:%M:%S")
| rename search_date AS "Search Date"
| table "Search Date"

This works.

@aromanauskas BTW if you convert to answer I can accept this answer. Thanks.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!