Reporting

Saved search (report) not working on dashboard panel with pipeline:scheduler disabled

caseypike
Path Finder

To reduce resource burden of scheduled searches (reports) and alerts off of the search heads, I have configured a default-mode.conf file to disable the pipeline:scheduler and created a separate job server. In Splunk v5, when I added a panel calling a saved search to a simple dashboard, it ran with no issues even though the pipeline:scheduler was disabled. Upgrading to Splunk v6, I now get “In handler ‘savedsearch’: Search scheduler has not started yet.” as an error in that panel.

Cloning to an inline search works. Also, converting the panel to run an inline search which calls the report using the ‘savedsearch’ command works.

Does running a saved search (report) in a dashboard panel on an ad-hoc basis (every time the dashboard is loaded) not work anymore in v6 with the scheduler disabled?

1 Solution

melting
Splunk Employee
Splunk Employee

You are correct. In Splunk 6.0 saved searches are dispatched via the saved search endpoint, which requires the scheduler to be enabled.

View solution in original post

melting
Splunk Employee
Splunk Employee

You are correct. In Splunk 6.0 saved searches are dispatched via the saved search endpoint, which requires the scheduler to be enabled.

robsuh
Explorer

dshpritz What do you mean by SH?

Nevermind, I think it means Search Head.

0 Karma

dshpritz
SplunkTrust
SplunkTrust

FYI for others:
Bug in Splunk 6 (SPL-74761) means that disabling scheduled searches on a SH will result in that SH being unable to retrieve saved search results. Dashboards could fail if using saved search results, links to results from emails would fail.

caseypike
Path Finder

Not the answer I wanted... 🙂 Thanks for responding so quickly though.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...