Reporting

How to automatically update scheduled saved search from dashboard

bowesmana
SplunkTrust
SplunkTrust

I have a number of saved searches scheduled to run each morning. However, I have a dashboard that allows certain configuration items to be changed in the app, which then would require those saved searched to run as the previous results are now invalid.

I am using

| savedsearch xxx

in my dashboard, but that only runs the saved search, it does not update the previously cached result set. I cannot find a way for me to force a 'scheduled' run of those searches so the results are then saved for the next 24 hours.

In the past, I have manually updated the scheduled time to be a few minutes in the future, wait for the searches to run, and then set the schedule times back to their original time, but with about 10 saved searches, and the app deployed on a client site, that's not practical.

Any idea how to do this?

0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

The solution is to use the curl app from Splunkbase and to issue the REST API reschedule command for the relevant SS from within SPL in the dashboard, so I am doing something like

| rest /servicesNS/nobody/myapp/saved/searches
| where title like "my_app_ss_%" 
| fields title 
| map maxsearches=100 search="
| curl method=post uri="https://localhost:8089/servicesNS/nobody/myapp/saved/searches/$$title$$/reschedule" datafield="schedule_time=+1m" splunkauth=true
| table *
"
| rex field=curl_response_url ".*/(?<title>[^/]*)/reschedule"
| eval Status=case(curl_status=200,"OK",curl_status=400,"Bad Request",curl_status=401,"Unauthorized",curl_status=403,"Forbidden",true(),"HTTP Status ".curl_status)
| table title, Status

and this gives me a table of whether the entry was rescheduled. The searches will then run at some point based on their window settings and then go back to their original next scheduled time.

Obviously it does require that the user has permissions to run REST calls and modify the SS schedule time, but that's fine in my case.

Note that the REST API is used first to read the list of SS, but in order to do the POST, it requires curl, as | rest does not support the POST API endpoints.

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

The solution is to use the curl app from Splunkbase and to issue the REST API reschedule command for the relevant SS from within SPL in the dashboard, so I am doing something like

| rest /servicesNS/nobody/myapp/saved/searches
| where title like "my_app_ss_%" 
| fields title 
| map maxsearches=100 search="
| curl method=post uri="https://localhost:8089/servicesNS/nobody/myapp/saved/searches/$$title$$/reschedule" datafield="schedule_time=+1m" splunkauth=true
| table *
"
| rex field=curl_response_url ".*/(?<title>[^/]*)/reschedule"
| eval Status=case(curl_status=200,"OK",curl_status=400,"Bad Request",curl_status=401,"Unauthorized",curl_status=403,"Forbidden",true(),"HTTP Status ".curl_status)
| table title, Status

and this gives me a table of whether the entry was rescheduled. The searches will then run at some point based on their window settings and then go back to their original next scheduled time.

Obviously it does require that the user has permissions to run REST calls and modify the SS schedule time, but that's fine in my case.

Note that the REST API is used first to read the list of SS, but in order to do the POST, it requires curl, as | rest does not support the POST API endpoints.

nareshinsvu
Builder

savedsearch is just a set of SPL code for easy use in the dashboards.

Did you hardcode anything in your saved search referred by your dashboard? If so, try to fix that?

0 Karma

jacobpevans
Motivator

Could you please explain what your requirement is? Why do you want to do this? Might there be any alternative solutions? I'm not saying it's not possible, just provide more info.

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma

bowesmana
SplunkTrust
SplunkTrust

My requirement is for a user to trigger an update of data in a KV store, from which then dependent saved searches are run to update stats from that updated KV store. Normally the KV store is updated once a day and the saved searches run after that update, but it is possible for a user to cause a change in the KV store, rendering the existing saved search results obsolete, and in fact now incorrect on dashboards that use those searches.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...