Dashboards & Visualizations

What can we use to replace loadjob-based dashboards that work with Search Head Clustering to make use of replicated artifacts?

jamiemccallion
Explorer

We were struggling with migrating loadjob-based dashboards to something that works with Search Head Clustering (loadjob isn't SHC-ready yet- it doesn't load artifacts that should be replicated; it's on the known-issues list for 6.2.0,1,2,3)
I'd read all the documentation, or so I thought, but missed something in the simple xml reference that Support highlighted.

The new search tag can take an attribute called 'ref'. The docs refer to this as loading a report, and this is what we can use instead of a loadjob command- but only in dashboards.

Eg:
6.1:

<searchString>| loadjob savedsearch="user:app:my_great_search" | stats count by host</searchString>

6.2:

<search ref="my_great_search"> | stats count by host</search>

We can check if it works by using the job inspector and checking the SID is named after the scheduler; if it is, it's loaded from the results of the previous run of the scheduled saved search. If not, then the search had to run again.

Bonus- because it's a different attribute to the search tag, then we can still benefit from the other features of 6.2 search tags, like using the report as one of a dashboard's base searches.

Hope this helps someone else avoid this issue. Thanks to Support again for pointing me in the right direction.

1 Solution

jamiemccallion
Explorer

As with all things, the answer is the question and the question is the answer.... 🙂

For SHC in 6.2, refactor existing searches in simplexml dashboards to use the new search tags instead of the deprecated ones like searchName, searchTemplate, etc.

5, 6.0, 6.1:

<searchString> | loadjob savedsearch="user:app:my_search" | stats count by host</searchString>

6.2:

<search ref="my_search"> | stats count by host<search>

Bonus points- using a report as a base search:

<dashboard>
<label>An Example</dashboard>
<description>Example of using replicated artefacts</description>
<search ref="my_search" id="baseSearch"></search>
<row>
<panel>
      <single>
        <title>Total Events by Host</title>
        <search base="baseSearch">
            <query> stats count by host</query>
        </search>
      </single>
</panel>
</row>
</dashboard>

View solution in original post

paddygriffin
Path Finder

When I try to implement the 6.2 solution, I see the results of my referenced report but the pipe to stats seems to be ignored. Any insights?

<panel>
 <table>
    <search ref="acall">   | stats count </search>
  </table> 
</panel>
0 Karma

jamiemccallion
Explorer

As with all things, the answer is the question and the question is the answer.... 🙂

For SHC in 6.2, refactor existing searches in simplexml dashboards to use the new search tags instead of the deprecated ones like searchName, searchTemplate, etc.

5, 6.0, 6.1:

<searchString> | loadjob savedsearch="user:app:my_search" | stats count by host</searchString>

6.2:

<search ref="my_search"> | stats count by host<search>

Bonus points- using a report as a base search:

<dashboard>
<label>An Example</dashboard>
<description>Example of using replicated artefacts</description>
<search ref="my_search" id="baseSearch"></search>
<row>
<panel>
      <single>
        <title>Total Events by Host</title>
        <search base="baseSearch">
            <query> stats count by host</query>
        </search>
      </single>
</panel>
</row>
</dashboard>

machiel
Path Finder

The "ref" solution does not load the job in a clustered environment, instead, it reruns the saved search.

0 Karma

cmeerbeek
Path Finder

@machiel, what is the alternative in a clustered environment?

0 Karma

ppablo
Retired

Hi @jamiemccallion

Thanks for sharing this useful topic on Answers for the rest of the community to know. Would you actually be able to copy and paste the actual solution and post it as an official answer at the bottom of this post? Otherwise, this post will just float around with no accepted answer and won't get as much visibility. Once you do, I'll be sure to upvote it 🙂

Patrick

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...