Reporting

How do I run a scheduled search to refresh its cache?

Splunk Employee
Splunk Employee

I have a dashboard with a pulldown. This pulldown is populated by a saved search.
The search is run on a schedule to cache values so that the pulldown loads quickly.
If for some reason the scheduled search is not run (whether Splunk was not running,
or the search load required it to be skipped), the dashboard has empty pulldowns
instead of valid entries there.

How can I force the search to run again, and cache its results? I've tried using
the "run" link within the saved searches page of the manager, but that doesn't seem
to populate the saved search cache for the dashboard to use.

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

You know, I was hoping that the savedsearch command could help us here but unfortunately, it just runs the saved search as an ad-hoc search which means:
* The SID is that of an ad-hoc search, which makes the artifact not identifiable as a product of the particular scheduled search
* The TTL of the artifact is the default for an ad-hoc search instead of being the TTL of the scheduled search

So, from within Splunk, this doesn't seem possible. However, you can do this with the REST API by POSTing to the scheduled search's own dispatch endpoint @ /servicesNS/{user}/{app}/saved/searches/{saved_search_name}/dispatch, as shown in this example:

curl -k -u admin:pass \
https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch \
-d trigger_actions=1

View solution in original post

Path Finder

Hello,

I tried it but I've got an error message:

Invalid custom action for this internal handler (handler: savedsearch, custom action: dispatch, eai action: list).

What could be the issue?

0 Karma

Motivator

Hi,

I've deleted the cache of a scheduled search that I use in a dashboard.

I tried to refresh it via die REST API. It appears in the Jobs manager correctly, but when I go to the dashboard the search starts from scratch.

Any ideas why the created cached is not used?

BG

Heinz

0 Karma

New Member

I have that same problem and trying to figure out why. In the meantime, I have a workaround and this is by using 'loadjob' with the name of the savedsearch (don't delete the cache of the scheduled savedsearch).

0 Karma

Splunk Employee
Splunk Employee

You know, I was hoping that the savedsearch command could help us here but unfortunately, it just runs the saved search as an ad-hoc search which means:
* The SID is that of an ad-hoc search, which makes the artifact not identifiable as a product of the particular scheduled search
* The TTL of the artifact is the default for an ad-hoc search instead of being the TTL of the scheduled search

So, from within Splunk, this doesn't seem possible. However, you can do this with the REST API by POSTing to the scheduled search's own dispatch endpoint @ /servicesNS/{user}/{app}/saved/searches/{saved_search_name}/dispatch, as shown in this example:

curl -k -u admin:pass \
https://localhost:8089/servicesNS/admin/search/saved/searches/MySavedSearch/dispatch \
-d trigger_actions=1

View solution in original post

Splunk Employee
Splunk Employee

What's the version availability of this endpoint?

0 Karma

Splunk Employee
Splunk Employee

I wish I could vote this up twice.

0 Karma

Splunk Employee
Splunk Employee

I had had the same experience with 'savedsearch', so I'm glad you've pointed me at the REST endpoint!