Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where can i get the id for saved search results to use in for a dropdown field in a form?

fere
Path Finder
‎09-10-2012 10:00 AM

Hi,
We are using SplunkStorm.
I have a form with a dropdown field being populated with search results using .
However, it takes too long and the values rarely change. I want to replace that with .
I ran the search and saved the results. When I click on the Jobs, I see the saved search showing up with status "Done" and Expires set to "Saved", but there is no id. I need that id to use it in the .
Thanks in advance for your help.

Reply

sideview
SplunkTrust
SplunkTrust
‎09-10-2012 10:34 AM

So there are two things that sound the same, but are different.

When you 'save results', or 'send to background', the handle you have on that is the ID of the search job, aka the id of the search results.

However when you 'save a search', or create a saved search, you're creating something that has a more stable configuration.

PopulatingSavedSearch is expecting the "name" of a saved search -- the name that you give it when you save it. And you cant give it an id of a search-result.

When and if the saved search has been running on a schedule, and it has a recent search result set associated with it, the dashboard systems will use that recent result instead of running the search ad-hoc. On the other hand if the 'saved search' does not have a schedule on it, the dashboard will have to run the search fresh each time to populate your dropdown.

Reply

fere
Path Finder
‎09-13-2012 03:33 PM

searching through documentation onlline, I stumbled on the info that the free version of Splunk does not have the scheduling feature! Does that mean that I can not use saved searches in my forms/dashboards to make them load faster? IS there any way to get around this limitation in the free version?

Reply

fere
Path Finder
‎09-13-2012 02:20 PM

Thanks. now I understand.
We are using SplunkStorm and when I create a saved search it does not present the option to schedule it too, which is what seems to be the thing that I need to do. According to the online document, when I go to search and reports (from manager) and create a search, the prompt shoudl also include scheduling options, but it does not. Neither the "create" or "save" buttons on the search screen have schedulign option!

Am I missing something? Is there anyway to schedule a search on SplunkStorm?

Appreciate your help

0 Karma
Reply

MarioM
Motivator
‎09-10-2012 10:32 AM

have you tried | rest search?

| rest /services/search/jobs count=0 | search isDone=1 isSavedSearch=1 | table label sid

-set your dropdown to populate with above values

-then another postprocess search 

| loadjob $sid$
Reply
Get Updates on the Splunk Community!

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...