Reporting

some scheduled saved searches not saved

wojtek_swiatek
Path Finder

Hello,

I have on the same dashboard a few searches, all scheduled, out of which half are not actually saved (when opening the dashboard some of the panels appear immediately with a "... hours ago" while others's search is run only at that time).

They look similar in the configuration. For instance this one is scheduled & correctly saved

[Panel 1]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 25 06 * * *
dispatch.earliest_time = -3mon@mon
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
request.ui_dispatch_view = flashtimeline
search = (the search query goes here)
vsid = hfm8s3w8

while that one is not

[Panel 2]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 1
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 50 6 * * *
dispatch.earliest_time = -90d@d
dispatch.latest_time = now
enableSched = 1
search = (search query goes here)

They were both created via the GUI, not directly coded into the savedsearches.conf file.

Thank you for any insights!

0 Karma

jtrucks
Splunk Employee
Splunk Employee

It is possible to use a search in a dashboard that is not in the saved searches list. If you created the search within the dashboard, or altered the search parameters within the dashboard context and did not change the original saved search, then that search would not be shown in the saved searches list.

Also, your missing search may be in the $SPLUNKHOME/users/username/appname/local/savedsearches.conf file not in the $SPLUNKHOME/etc/apps/appname/local/savedsearches.conf file.