Dashboards & Visualizations

Where can i get the id for saved search results to use in for a dropdown field in a form?

fere
Path Finder

Hi,
We are using SplunkStorm.
I have a form with a dropdown field being populated with search results using .
However, it takes too long and the values rarely change. I want to replace that with .
I ran the search and saved the results. When I click on the Jobs, I see the saved search showing up with status "Done" and Expires set to "Saved", but there is no id. I need that id to use it in the .
Thanks in advance for your help.

sideview
SplunkTrust
SplunkTrust

So there are two things that sound the same, but are different.

When you 'save results', or 'send to background', the handle you have on that is the ID of the search job, aka the id of the search results.

However when you 'save a search', or create a saved search, you're creating something that has a more stable configuration.

PopulatingSavedSearch is expecting the "name" of a saved search -- the name that you give it when you save it. And you cant give it an id of a search-result.

When and if the saved search has been running on a schedule, and it has a recent search result set associated with it, the dashboard systems will use that recent result instead of running the search ad-hoc. On the other hand if the 'saved search' does not have a schedule on it, the dashboard will have to run the search fresh each time to populate your dropdown.

fere
Path Finder

searching through documentation onlline, I stumbled on the info that the free version of Splunk does not have the scheduling feature! Does that mean that I can not use saved searches in my forms/dashboards to make them load faster? IS there any way to get around this limitation in the free version?

fere
Path Finder

Thanks. now I understand.
We are using SplunkStorm and when I create a saved search it does not present the option to schedule it too, which is what seems to be the thing that I need to do. According to the online document, when I go to search and reports (from manager) and create a search, the prompt shoudl also include scheduling options, but it does not. Neither the "create" or "save" buttons on the search screen have schedulign option!

Am I missing something? Is there anyway to schedule a search on SplunkStorm?

Appreciate your help

0 Karma

MarioM
Motivator

have you tried | rest search?

| rest /services/search/jobs count=0 | search isDone=1 isSavedSearch=1 | table label sid

-set your dropdown to populate with above values

-then another postprocess search

| loadjob $sid$
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...