Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to automatically update scheduled saved search from dashboard

bowesmana
SplunkTrust
SplunkTrust
‎08-26-2019 06:24 PM

I have a number of saved searches scheduled to run each morning. However, I have a dashboard that allows certain configuration items to be changed in the app, which then would require those saved searched to run as the previous results are now invalid.

I am using 

| savedsearch xxx

in my dashboard, but that only runs the saved search, it does not update the previously cached result set. I cannot find a way for me to force a 'scheduled' run of those searches so the results are then saved for the next 24 hours.

In the past, I have manually updated the scheduled time to be a few minutes in the future, wait for the searches to run, and then set the schedule times back to their original time, but with about 10 saved searches, and the app deployed on a client site, that's not practical.

Any idea how to do this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-29-2019 04:01 PM

The solution is to use the curl app from Splunkbase and to issue the REST API reschedule command for the relevant SS from within SPL in the dashboard, so I am doing something like

| rest /servicesNS/nobody/myapp/saved/searches
| where title like "my_app_ss_%" 
| fields title 
| map maxsearches=100 search="
| curl method=post uri="https://localhost:8089/servicesNS/nobody/myapp/saved/searches/$$title$$/reschedule" datafield="schedule_time=+1m" splunkauth=true
| table *
"
| rex field=curl_response_url ".*/(?<title>[^/]*)/reschedule"
| eval Status=case(curl_status=200,"OK",curl_status=400,"Bad Request",curl_status=401,"Unauthorized",curl_status=403,"Forbidden",true(),"HTTP Status ".curl_status)
| table title, Status

and this gives me a table of whether the entry was rescheduled. The searches will then run at some point based on their window settings and then go back to their original next scheduled time.

Obviously it does require that the user has permissions to run REST calls and modify the SS schedule time, but that's fine in my case.

Note that the REST API is used first to read the list of SS, but in order to do the POST, it requires curl, as | rest does not support the POST API endpoints.

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-29-2019 04:01 PM

The solution is to use the curl app from Splunkbase and to issue the REST API reschedule command for the relevant SS from within SPL in the dashboard, so I am doing something like

| rest /servicesNS/nobody/myapp/saved/searches
| where title like "my_app_ss_%" 
| fields title 
| map maxsearches=100 search="
| curl method=post uri="https://localhost:8089/servicesNS/nobody/myapp/saved/searches/$$title$$/reschedule" datafield="schedule_time=+1m" splunkauth=true
| table *
"
| rex field=curl_response_url ".*/(?<title>[^/]*)/reschedule"
| eval Status=case(curl_status=200,"OK",curl_status=400,"Bad Request",curl_status=401,"Unauthorized",curl_status=403,"Forbidden",true(),"HTTP Status ".curl_status)
| table title, Status

and this gives me a table of whether the entry was rescheduled. The searches will then run at some point based on their window settings and then go back to their original next scheduled time.

Obviously it does require that the user has permissions to run REST calls and modify the SS schedule time, but that's fine in my case.

Note that the REST API is used first to read the list of SS, but in order to do the POST, it requires curl, as | rest does not support the POST API endpoints.

Reply
Solved! Jump to solution

nareshinsvu
Builder
‎08-26-2019 07:49 PM

savedsearch is just a set of SPL code for easy use in the dashboards.

Did you hardcode anything in your saved search referred by your dashboard? If so, try to fix that?

0 Karma
Reply
Solved! Jump to solution

jacobpevans
Motivator
‎08-26-2019 07:04 PM

Could you please explain what your requirement is? Why do you want to do this? Might there be any alternative solutions? I'm not saying it's not possible, just provide more info.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-26-2019 11:30 PM

My requirement is for a user to trigger an update of data in a KV store, from which then dependent saved searches are run to update stats from that updated KV store. Normally the KV store is updated once a day and the saved searches run after that update, but it is possible for a user to cause a change in the KV store, rendering the existing saved search results obsolete, and in fact now incorrect on dashboards that use those searches.

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...