We were struggling with migrating loadjob-based dashboards to something that works with Search Head Clustering (loadjob isn't SHC-ready yet- it doesn't load artifacts that should be replicated; it's on the known-issues list for 6.2.0,1,2,3)
I'd read all the documentation, or so I thought, but missed something in the simple xml reference that Support highlighted.
The new search tag can take an attribute called 'ref'. The docs refer to this as loading a report, and this is what we can use instead of a loadjob command- but only in dashboards.
Eg:
6.1:
<searchString>| loadjob savedsearch="user:app:my_great_search" | stats count by host</searchString>
6.2:
<search ref="my_great_search"> | stats count by host</search>
We can check if it works by using the job inspector and checking the SID is named after the scheduler; if it is, it's loaded from the results of the previous run of the scheduled saved search. If not, then the search had to run again.
Bonus- because it's a different attribute to the search tag, then we can still benefit from the other features of 6.2 search tags, like using the report as one of a dashboard's base searches.
Hope this helps someone else avoid this issue. Thanks to Support again for pointing me in the right direction.
As with all things, the answer is the question and the question is the answer.... 🙂
For SHC in 6.2, refactor existing searches in simplexml dashboards to use the new search tags instead of the deprecated ones like searchName, searchTemplate, etc.
5, 6.0, 6.1:
<searchString> | loadjob savedsearch="user:app:my_search" | stats count by host</searchString>
6.2:
<search ref="my_search"> | stats count by host<search>
Bonus points- using a report as a base search:
<dashboard>
<label>An Example</dashboard>
<description>Example of using replicated artefacts</description>
<search ref="my_search" id="baseSearch"></search>
<row>
<panel>
<single>
<title>Total Events by Host</title>
<search base="baseSearch">
<query> stats count by host</query>
</search>
</single>
</panel>
</row>
</dashboard>
When I try to implement the 6.2 solution, I see the results of my referenced report but the pipe to stats seems to be ignored. Any insights?
<panel>
<table>
<search ref="acall"> | stats count </search>
</table>
</panel>
As with all things, the answer is the question and the question is the answer.... 🙂
For SHC in 6.2, refactor existing searches in simplexml dashboards to use the new search tags instead of the deprecated ones like searchName, searchTemplate, etc.
5, 6.0, 6.1:
<searchString> | loadjob savedsearch="user:app:my_search" | stats count by host</searchString>
6.2:
<search ref="my_search"> | stats count by host<search>
Bonus points- using a report as a base search:
<dashboard>
<label>An Example</dashboard>
<description>Example of using replicated artefacts</description>
<search ref="my_search" id="baseSearch"></search>
<row>
<panel>
<single>
<title>Total Events by Host</title>
<search base="baseSearch">
<query> stats count by host</query>
</search>
</single>
</panel>
</row>
</dashboard>
The "ref" solution does not load the job in a clustered environment, instead, it reruns the saved search.
@machiel, what is the alternative in a clustered environment?
Hi @jamiemccallion
Thanks for sharing this useful topic on Answers for the rest of the community to know. Would you actually be able to copy and paste the actual solution and post it as an official answer at the bottom of this post? Otherwise, this post will just float around with no accepted answer and won't get as much visibility. Once you do, I'll be sure to upvote it 🙂
Patrick