Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What can we use to replace loadjob-based dashboards that work with Search Head Clustering to make use of replicated artifacts?

jamiemccallion
Explorer
‎06-30-2015 06:58 AM

We were struggling with migrating loadjob-based dashboards to something that works with Search Head Clustering (loadjob isn't SHC-ready yet- it doesn't load artifacts that should be replicated; it's on the known-issues list for 6.2.0,1,2,3)
I'd read all the documentation, or so I thought, but missed something in the simple xml reference that Support highlighted.

The new search tag can take an attribute called 'ref'. The docs refer to this as loading a report, and this is what we can use instead of a loadjob command- but only in dashboards.

Eg:
6.1:

<searchString>| loadjob savedsearch="user:app:my_great_search" | stats count by host</searchString>

6.2:

<search ref="my_great_search"> | stats count by host</search>

We can check if it works by using the job inspector and checking the SID is named after the scheduler; if it is, it's loaded from the results of the previous run of the scheduled saved search. If not, then the search had to run again.

Bonus- because it's a different attribute to the search tag, then we can still benefit from the other features of 6.2 search tags, like using the report as one of a dashboard's base searches.

Hope this helps someone else avoid this issue. Thanks to Support again for pointing me in the right direction.

Reply
1 Solution
Solved! Jump to solution
Solution

jamiemccallion
Explorer
‎06-30-2015 09:07 AM

As with all things, the answer is the question and the question is the answer.... 🙂

For SHC in 6.2, refactor existing searches in simplexml dashboards to use the new search tags instead of the deprecated ones like searchName, searchTemplate, etc.

5, 6.0, 6.1:

<searchString> | loadjob savedsearch="user:app:my_search" | stats count by host</searchString>

6.2:

<search ref="my_search"> | stats count by host<search>

Bonus points- using a report as a base search:

<dashboard>
<label>An Example</dashboard>
<description>Example of using replicated artefacts</description>
<search ref="my_search" id="baseSearch"></search>
<row>
<panel>
      <single>
        <title>Total Events by Host</title>
        <search base="baseSearch">
            <query> stats count by host</query>
        </search>
      </single>
</panel>
</row>
</dashboard>

View solution in original post

Reply
Solved! Jump to solution

paddygriffin
Path Finder
‎09-09-2015 05:09 PM

When I try to implement the 6.2 solution, I see the results of my referenced report but the pipe to stats seems to be ignored. Any insights?

<panel>
 <table>
    <search ref="acall">   | stats count </search>
  </table> 
</panel>
0 Karma
Reply
Solved! Jump to solution
Solution

jamiemccallion
Explorer
‎06-30-2015 09:07 AM

As with all things, the answer is the question and the question is the answer.... 🙂

For SHC in 6.2, refactor existing searches in simplexml dashboards to use the new search tags instead of the deprecated ones like searchName, searchTemplate, etc.

5, 6.0, 6.1:

<searchString> | loadjob savedsearch="user:app:my_search" | stats count by host</searchString>

6.2:

<search ref="my_search"> | stats count by host<search>

Bonus points- using a report as a base search:

<dashboard>
<label>An Example</dashboard>
<description>Example of using replicated artefacts</description>
<search ref="my_search" id="baseSearch"></search>
<row>
<panel>
      <single>
        <title>Total Events by Host</title>
        <search base="baseSearch">
            <query> stats count by host</query>
        </search>
      </single>
</panel>
</row>
</dashboard>
Reply
Solved! Jump to solution

machiel
Path Finder
‎04-25-2016 06:16 AM

The "ref" solution does not load the job in a clustered environment, instead, it reruns the saved search.

0 Karma
Reply
Solved! Jump to solution

cmeerbeek
Path Finder
‎05-03-2016 01:19 AM

@machiel, what is the alternative in a clustered environment?

0 Karma
Reply
Solved! Jump to solution

ppablo
Retired
‎06-30-2015 07:57 AM

Hi @jamiemccallion

Thanks for sharing this useful topic on Answers for the rest of the community to know. Would you actually be able to copy and paste the actual solution and post it as an official answer at the bottom of this post? Otherwise, this post will just float around with no accepted answer and won't get as much visibility. Once you do, I'll be sure to upvote it 🙂

Patrick

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...