Solved: saved searches

raomu · ‎01-09-2018

I have schedule report"AAA" which runs once in a month ( pulls huge number of records for last 6 months)

I have another dashboard where I have one panel showing "AAA" data.

my code is :

      <query>| loadjob savedsearch="username:search:Domain_Controllers_Status_In_Splunk"</query>

    </search>

    It use work fine till last month, and now I don't see any data pull in Dashboard panel. Although the schedule reports works fine.

Any idea how long the saved searches are accessible is there ant time frame like a week or some time is set, I am assuming if the saved is not getting expired.

Any suggestion.

cmerriman · ‎01-10-2018

run this and look at the dateExpire field that is calculated. that should give you an idea.

|rest /services/search/jobs|search  isSavedSearch=1 delegate="scheduler" label="Domain Controllers Status In Splunk"|fields author label earliestTime latestTime runDuration isDone isFailed isSaved sid ttl published|eval publishedepoch=strptime(published,"%Y-%m-%dT%H:%M:%S.%3N%:z")|eval dateExpire=strftime(publishedepoch+ttl,"%Y-%m-%dT%H:%M:%S")

the ttl is the time to live. you can change the settings in savedsearches.conf under dispatch.ttl
https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Savedsearchesconf#dispatch_search_options

View solution in original post

cmerriman · ‎01-10-2018

run this and look at the dateExpire field that is calculated. that should give you an idea.

|rest /services/search/jobs|search  isSavedSearch=1 delegate="scheduler" label="Domain Controllers Status In Splunk"|fields author label earliestTime latestTime runDuration isDone isFailed isSaved sid ttl published|eval publishedepoch=strptime(published,"%Y-%m-%dT%H:%M:%S.%3N%:z")|eval dateExpire=strftime(publishedepoch+ttl,"%Y-%m-%dT%H:%M:%S")

the ttl is the time to live. you can change the settings in savedsearches.conf under dispatch.ttl
https://docs.splunk.com/Documentation/Splunk/7.0.1/Admin/Savedsearchesconf#dispatch_search_options

raomu · ‎01-10-2018

Thanks, I am able to find the expire date/Time.

mayurr98 · ‎01-10-2018

hey

you can definitely extend the job life time as mentioned in this doc
https://docs.splunk.com/Documentation/Splunk/6.6.3/Search/Extendjoblifetimes

but what i would suggest is try this search command savedsearch and use this is dashboard instead of loadjob
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Savedsearch
| savedsearch your_report_name
let me know if this helps you!

cmerriman · ‎01-10-2018

I'll agree that you could run the savedsearch command, however, it will run the entire saved search when the dashboard is ran, instead of pulling in the results from the report. as stated above, it is a huge amount of data, and could take a while. I'd recommend extending the life of the job under the savedsearches.conf for ongoing runs of this report.

mayurr98 · ‎01-10-2018

here i am assuming that saved search is accelerated 😛

andrey2007 · ‎01-10-2018

You cas specify and increase job lifetime period

https://docs.splunk.com/Documentation/Splunk/latest/Search/Extendjoblifetimes

saved searches

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation