Solved: Re: How do I run a scheduled search to refresh its...

sowings · ‎03-15-2013

I have a dashboard with a pulldown. This pulldown is populated by a saved search.
The search is run on a schedule to cache values so that the pulldown loads quickly.
If for some reason the scheduled search is not run (whether Splunk was not running,
or the search load required it to be skipped), the dashboard has empty pulldowns
instead of valid entries there.

How can I force the search to run again, and cache its results? I've tried using
the "run" link within the saved searches page of the manager, but that doesn't seem
to populate the saved search cache for the dashboard to use.

hexx · ‎03-18-2013

You know, I was hoping that the savedsearch command could help us here but unfortunately, it just runs the saved search as an ad-hoc search which means:
* The SID is that of an ad-hoc search, which makes the artifact not identifiable as a product of the particular scheduled search
* The TTL of the artifact is the default for an ad-hoc search instead of being the TTL of the scheduled search

So, from within Splunk, this doesn't seem possible. However, you can do this with the REST API by POSTing to the scheduled search's own dispatch endpoint @ /servicesNS/{user}/{app}/saved/searches/{saved_search_name}/dispatch, as shown in this example:

curl -k -u admin:pass \
https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch \
-d trigger_actions=1

View solution in original post

sassens1 · ‎02-02-2017

Hello,

I tried it but I've got an error message:

Invalid custom action for this internal handler (handler: savedsearch, custom action: dispatch, eai action: list).

What could be the issue?

HeinzWaescher · ‎02-21-2014

Hi,

I've deleted the cache of a scheduled search that I use in a dashboard.

I tried to refresh it via die REST API. It appears in the Jobs manager correctly, but when I go to the dashboard the search starts from scratch.

Any ideas why the created cached is not used?

BG

Heinz

wbsplunk · ‎12-09-2014

I have that same problem and trying to figure out why. In the meantime, I have a workaround and this is by using 'loadjob' with the name of the savedsearch (don't delete the cache of the scheduled savedsearch).

hexx · ‎03-18-2013

You know, I was hoping that the savedsearch command could help us here but unfortunately, it just runs the saved search as an ad-hoc search which means:
* The SID is that of an ad-hoc search, which makes the artifact not identifiable as a product of the particular scheduled search
* The TTL of the artifact is the default for an ad-hoc search instead of being the TTL of the scheduled search

So, from within Splunk, this doesn't seem possible. However, you can do this with the REST API by POSTing to the scheduled search's own dispatch endpoint @ /servicesNS/{user}/{app}/saved/searches/{saved_search_name}/dispatch, as shown in this example:

curl -k -u admin:pass \
https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch \
-d trigger_actions=1

sowings · ‎04-11-2013

What's the version availability of this endpoint?

sowings · ‎03-21-2013

I wish I could vote this up twice.

sowings · ‎03-19-2013

I had had the same experience with 'savedsearch', so I'm glad you've pointed me at the REST endpoint!

How do I run a scheduled search to refresh its cache?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!