Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

jobs page search results

carmackd
Communicator
‎06-02-2010 06:39 PM

I noticed when recalling a saved search from the jobs page, I can only view the results if I have some sort of formatting on the end of my search string, such as “ | stats count by host.” If my saved search equals ex… “sourcetype=syslog” , the timeline fills in but no results are returned. Thoughts?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-02-2010 09:21 PM

This is because your events are not actually stored in all cases. (If you switch from the results view to the "Events" view when you open a job, you will see that the events are missing there too.)

You can manually change this by adjusting the dispatch.buckets value. This is 0 by default for saved searches (and 300 for interactive searches). This is 0 for saved searches beacause you don't need interactive feedback as the job runs, which does allow it to run faster in the background, the downside it that you don't get any timeline info and the actual events are not stored. If you want to change this for a specific search, you can find your saved search in savedsearches.conf and add an entry like this:

[your_saved_search_name]
...
dispatch.buckets = 300
...

Alternately, I often just find it more convenient to re-run the search. All the parameters are already set for you, just just have hit the green search arrow. (Of course if this is a big search, than this can be an expensive operation.)

From the savedsearches.conf doc:

dispatch.buckets = <integer>

  • The maximum number of timeline buckets.
  • Defaults to 0.

View solution in original post

Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎06-02-2010 09:21 PM

This is because your events are not actually stored in all cases. (If you switch from the results view to the "Events" view when you open a job, you will see that the events are missing there too.)

You can manually change this by adjusting the dispatch.buckets value. This is 0 by default for saved searches (and 300 for interactive searches). This is 0 for saved searches beacause you don't need interactive feedback as the job runs, which does allow it to run faster in the background, the downside it that you don't get any timeline info and the actual events are not stored. If you want to change this for a specific search, you can find your saved search in savedsearches.conf and add an entry like this:

[your_saved_search_name]
...
dispatch.buckets = 300
...

Alternately, I often just find it more convenient to re-run the search. All the parameters are already set for you, just just have hit the green search arrow. (Of course if this is a big search, than this can be an expensive operation.)

From the savedsearches.conf doc:

dispatch.buckets = <integer>

  • The maximum number of timeline buckets.
  • Defaults to 0.
Reply
Solved! Jump to solution

Lowell
Super Champion
‎06-04-2010 04:07 PM

I added a link to the docs. If you feel like it should be explained better or in more details, feel free to email the people who maintain the docs with your thoughts or ideas. Their email is docs@splunk.com

0 Karma
Reply
Solved! Jump to solution

carmackd
Communicator
‎06-04-2010 12:17 PM

Thanks for the response, and good advice. Your suggestion worked great! This should be mentioned in the Splunk documentation but like many other things, it's not.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...