Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard shows no results for scheduled saved search BUT...

kmattern
Builder
‎09-11-2012 07:08 AM

I have dashboards that have scheduled saved searches. The search permissions are set to app with appropriate user permissions. When I load the dashboard I can see that the search ran 9 hours ago but shows no results. If I click on view results there are truly no results BUT if I rerun the search I get immediate results.

The thing is that this is spordic. Sometimes I have no trouble and sometimes none of the searches on a dashboard will show results. But every time I rerun them I get results.

What gives?

Tags (1)
Reply

kurtgad
New Member
‎05-20-2016 07:34 AM

Run the search as a power user who has access to all indexes & see what index the data is coming from. Then check what roles the user who owns the saved search has to see if the correct index is in "Indexes searched by default."

I had several saved searches that were created by a user who had default search on index "blahblahblah." When he left the company, the saved searches were transferred to another user so they would keep running. Unfortunately, the transferred-to user did not have "blahblahblah" as a default search index so the saved search always came up blank. If I clicked on the "View Results in Splunk" link in the email it showed nothing, however if I then hit the Search button from those results with my elevated access it searched all indexes including "blahblahblah." Adding "blahblahblah" to the transferred-to user's default indexes corrected the problem.

0 Karma
Reply

essklau
Path Finder
‎07-11-2014 07:16 AM

Ayn, could a too-short ttl be the cause if he is able to retrieve those results through "view results" at the same time his dashboard doesn't? By that I mean: why would view results ignore a too-short ttl?

0 Karma
Reply

kyleharrison
Path Finder
‎12-01-2014 11:29 AM

Seeing this exact same issue on 6.0. Did you ever resolve it?

0 Karma
Reply

christian_l
Path Finder
‎10-02-2013 01:59 AM

I have the same problem here.
I got several scheduled searches which show no results on the dashboards, if I click the view results link and just hit the search bnutton - without changing anything - my results appear as expected.

I run the following search:

`index=_internal source=*scheduler.log | eval sched = strftime(scheduled_time, "%Y-%m-%d %H:%M:%S") | table sched status savedsearch_name`

Which shows me success status for all the scheduled searches. Strange thing about this is the searches all worked before. They're also running on a dedicated Job-Server which is just running these searches.

Any ideas how to get the problem identified?

Regards,
Christian

Reply

essklau
Path Finder
‎07-11-2014 07:13 AM

Bimpitty bompitty bump...

Bueller?

0 Karma
Reply

Ayn
Legend
‎09-11-2012 08:01 AM

What settings are you using for you saved searches? Like, what time limits for instance?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...