Solved: Re: Saved Searches' unexpected behavior

twinspop · ‎10-26-2010

With some experimenting, I've found that saved searches that are visible to all apps, and readable by everyone, do not have results that are accessible to other apps. That means that although you can add them to a dashboard or view in another app, the search will be run in real time when you load the view. Are saved scheduled search reports only available in their respective apps regardless of the search permission settings?

I came across this issue and tried using the move feature in the Saved Search manager (when logged in as admin). Server error.[1]

So I cloned the search and assigned the clone to the app I wanted. That method sort of worked. The search was copied, but not the report -- my chart was all wanky with default settings. I could see no way in the GUI to edit the saved search's chart settings, so I copied the viewstate stanza from the old search into the viewstate.conf file local to the target app, put that viewstate into savedsearches.conf, and restarted Splunk. Shouldn't 'clone' clone everything? Is there a better way to get properly configured charts copied in the cloning process?

[1] error message:

500 Internal Server Error
RESTException: [HTTP 409] [{'text': "In handler 'savedsearch': Object with 
id=REPORT_Web_Errors_by_Host already exists in config=savedsearches, user=nobody, 
app=my_app", 'code': None, 'type': 'ERROR'}]; None

jbsplunk · ‎10-26-2010

It sounds like what you did made the search available globally. In order to get the results of a saved search into a new app after you've made it available, you'd need to run it in in the desired app as it won't have access to the job run in the other app.

With regard to the cloning issue, the report is another object outside of the saved search, so that won't be cloned. The only object to be cloned will be the actual saved search in the scenario you mention above. If you look under Manager » Searches and reports, you'll see searches have a display view of 'None', and reports have a display view of 'report_builder_display'. You would need to make both available globally. Making the report available does not affect the report settings or the results of the saved search which is used to build the report. The answer to would be have a report and a saved search both made available to other apps.

View solution in original post

jbsplunk · ‎10-26-2010

It sounds like what you did made the search available globally. In order to get the results of a saved search into a new app after you've made it available, you'd need to run it in in the desired app as it won't have access to the job run in the other app.

With regard to the cloning issue, the report is another object outside of the saved search, so that won't be cloned. The only object to be cloned will be the actual saved search in the scenario you mention above. If you look under Manager » Searches and reports, you'll see searches have a display view of 'None', and reports have a display view of 'report_builder_display'. You would need to make both available globally. Making the report available does not affect the report settings or the results of the saved search which is used to build the report. The answer to would be have a report and a saved search both made available to other apps.

jbsplunk · ‎10-26-2010

Yes, the behavior is by design.

twinspop · ‎10-26-2010

If I read this right, the short answer is: By design.

Saved Searches' unexpected behavior

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases