Re: use schedule report for Dashboard

nivets · ‎08-18-2022

I have scheduled report which will give the result of hostname and some other details in the table format and now i need to use this schedule report to get the same output in my dashboard. The dashboard should not rerun everytime i open it.

For example:

i have scheduled report which will run everyday at 00:00 and return the details in table format and the same details should be shown in dashboard untill the next schedule report runs.

can anyone help how to work on this

diogofgm · ‎08-18-2022

You can either use `|loadjob`to load the results from the search but be aware that in case the results are no longer present you won't have data showed in the dashboard which might be the case depending on the time interval of you search and how long splunk will keep the results. I've used this in the past to make dashboards load faster for several users.
Another approach is to `|outputlookup my results.csv` in the scheduled search to dump the results into a lookup/csv and then use `|inputlookup my results.csv`to load the results into a dashboard.

------------
Hope I was able to help you. If so, some karma would be appreciated.

ITWhisperer · ‎08-18-2022

You are right, you can use loadjob with the savedsearch option as an alternative, but you need to use the fully qualified name of the report (as you say, using the sid from an earlier search may not work if the results have been already been removed)

| loadjob savedsearch="<user-string>:<app-string>:<search-name-string>"

I find it easier to use the ref which doesn't require knowing who owns the report etc., it just has to be visible to you 😀

ITWhisperer · ‎08-18-2022

  <search ref="Report name"/>

nivets · ‎08-18-2022

Thanks for the reply.

I have tried both |loadjob and <search ref="report name"/> both are returning the outputs but the outputs which are returning is not matching with the output from the scheduled report.

Means, i have created a scheduled report with action send the results with csv format to my inbox. if i am creating the dashboard with the same scheduled report it should return the output of last ran output , right?

If yes , then am seeing the difference in the results

ITWhisperer · ‎08-18-2022

In what way are they different - don't forget that csv can be truncated to 10000 rows?

nivets · ‎08-18-2022

we dont have more than 500 rows. i have compared the both results from the csv file and results from the dashboard panel

ITWhisperer · ‎08-18-2022

Interesting - it always comes out the same for me - can you share your dashboard SimpleXML?

nivets · ‎08-18-2022

Please find the below XML:

Using Loadjob

<dashboard>
<label>Report</label>
<row>
<panel>
<table>
<search>
<query> |loadjob savedsearch="admin:search:savedsearchreport"| table host,index</query>
</search>
</table>
</panel>
</row>
</dashboard>

Using ref:

<dashboard>
<label>Report</label>
<search id="basesearch" ref="savedsearchreport"/>
<row>
<panel>
<table>
<search base="basesearch">
<query> | table host,index</query>
</search>
</table>
</panel>
</row>
</dashboard>

ITWhisperer · ‎08-18-2022

I see no reason why this wouldn't work - how are these tables different to the csv you received? More rows? Fewer rows? Different fields? Multi-value fields? Completely different data?

nivets · ‎08-18-2022

Not totally different, like some of the field values available in csv file are not available in dashboard and some of the field values available in dashboard are not available in csv file.

Use schedule report for Dashboard output?

scheduled search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!