Dashboards & Visualizations

What can we use to replace loadjob-based dashboards that work with Search Head Clustering to make use of replicated artifacts?

Explorer

We were struggling with migrating loadjob-based dashboards to something that works with Search Head Clustering (loadjob isn't SHC-ready yet- it doesn't load artifacts that should be replicated; it's on the known-issues list for 6.2.0,1,2,3)
I'd read all the documentation, or so I thought, but missed something in the simple xml reference that Support highlighted.

The new search tag can take an attribute called 'ref'. The docs refer to this as loading a report, and this is what we can use instead of a loadjob command- but only in dashboards.

Eg:
6.1:

<searchString>| loadjob savedsearch="user:app:my_great_search" | stats count by host</searchString>

6.2:

<search ref="my_great_search"> | stats count by host</search>

We can check if it works by using the job inspector and checking the SID is named after the scheduler; if it is, it's loaded from the results of the previous run of the scheduled saved search. If not, then the search had to run again.

Bonus- because it's a different attribute to the search tag, then we can still benefit from the other features of 6.2 search tags, like using the report as one of a dashboard's base searches.

Hope this helps someone else avoid this issue. Thanks to Support again for pointing me in the right direction.

1 Solution

Explorer

As with all things, the answer is the question and the question is the answer.... 🙂

For SHC in 6.2, refactor existing searches in simplexml dashboards to use the new search tags instead of the deprecated ones like searchName, searchTemplate, etc.

5, 6.0, 6.1:

<searchString> | loadjob savedsearch="user:app:my_search" | stats count by host</searchString>

6.2:

<search ref="my_search"> | stats count by host<search>

Bonus points- using a report as a base search:

<dashboard>
<label>An Example</dashboard>
<description>Example of using replicated artefacts</description>
<search ref="my_search" id="baseSearch"></search>
<row>
<panel>
      <single>
        <title>Total Events by Host</title>
        <search base="baseSearch">
            <query> stats count by host</query>
        </search>
      </single>
</panel>
</row>
</dashboard>

View solution in original post

Path Finder

When I try to implement the 6.2 solution, I see the results of my referenced report but the pipe to stats seems to be ignored. Any insights?

<panel>
 <table>
    <search ref="acall">   | stats count </search>
  </table> 
</panel>
0 Karma

Explorer

As with all things, the answer is the question and the question is the answer.... 🙂

For SHC in 6.2, refactor existing searches in simplexml dashboards to use the new search tags instead of the deprecated ones like searchName, searchTemplate, etc.

5, 6.0, 6.1:

<searchString> | loadjob savedsearch="user:app:my_search" | stats count by host</searchString>

6.2:

<search ref="my_search"> | stats count by host<search>

Bonus points- using a report as a base search:

<dashboard>
<label>An Example</dashboard>
<description>Example of using replicated artefacts</description>
<search ref="my_search" id="baseSearch"></search>
<row>
<panel>
      <single>
        <title>Total Events by Host</title>
        <search base="baseSearch">
            <query> stats count by host</query>
        </search>
      </single>
</panel>
</row>
</dashboard>

View solution in original post

Path Finder

The "ref" solution does not load the job in a clustered environment, instead, it reruns the saved search.

0 Karma

Path Finder

@machiel, what is the alternative in a clustered environment?

0 Karma

Community Manager
Community Manager

Hi @jamiemccallion

Thanks for sharing this useful topic on Answers for the rest of the community to know. Would you actually be able to copy and paste the actual solution and post it as an official answer at the bottom of this post? Otherwise, this post will just float around with no accepted answer and won't get as much visibility. Once you do, I'll be sure to upvote it 🙂

Patrick

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!