I am trying to implement a dropdown populated with the history of a saved search.
Below is the code I am using to try and achieve this:
<module name="SearchSelectLister" > <param name="label">AM Filter (descending usage)</param> <param name="savedSearch">Access_Manager_Accounts</param> <param name="useHistory">true</param> <param name="searchWhenChanged">false</param> <param name="settingToCreate">dropdownAMAccountSelection</param>
I have run a backfill to capture the relevant data in the saved search's history. When I review the Jobs page I can see one entry with results. This entry has been finalized and saved.
What I would expect to happen is the dropdown would be populated with the results of this loosely represented search.
index="myindex01" | search INLINK_SPLIT="false" | dedup field1, field2, field3 | timechart span=1h count | fields INLINK
However rather than this occurring when I open the report I get the below.
"Could not find a job in the saved search "Access_Manager_Accounts" history.
Does anyone have any ideas as to why the view wouldn't be able to pick up the history of the saved search?
If further XML is required, please let me know.
Appreciate the help 🙂
This is unintuitive, but merely running a saved search from the user interface does NOT create an entry in that saved search's "history". Only the scheduler can populate the official history.
So the given saved search, although set to run on a schedule, has not actually run its first scheduled job yet.
One quick and dirty way to workaround this, at least while developing a view or a dashboard, is to set the schedule to 'every minute', wait a minute, then set it back to whatever your proper schedule was... Then you'll have a placeholder job to hold you over until the real job runs at 2AM or whenever.
'backfill' is term that I've only seen used in regards to Splunk's summary indexing feature, which is different from search-scheduling.
You need to set
Auto (the default), or just remove it. Setting it to
true requires that a previous instance of the job be run, saved, in the scope of the UI module (i.e., in the same app or exported to
system), and readable by the user viewing the UI module. Is all of this true?
I've the same Problem, my view doesn't find the save search, even if :
- the name is ok
- the app ist the same for search and view
- search was launched by the scheduler...
I've checked those criteria and they are in place.
Swapped the useHistory parameter over to auto results in the dropdown field being blank. I suppose splunk is not detecting the backfill job for which I saved the results and setting the dropdown to empty.
Thanks heaps for the response though.
At this stage I am considering placing all of data required by the report in a summary index. This will mean I can quickly populate the dropdown using an inline search string.