Reporting

use of schedule search in dashboard

ips_mandar
Builder

I have dashboard which has user input to select host (from dropdown) and timerange-
since its big search I was thinking to create scheduled saved search which will run periodically and this saved search will be referred in dashboard .
1. since in dashboard I have dropdown to select host so while writing scheduled saved search I need to mention host=* in query to run for all host?
2. and if I am running saved search on last 3 days periodically but in my dashboard if I select timerange as last 7 days then does it will rerun the search over last 7 days or how it will work?
Please clarify above points.
Note-I have multiple host and from each host high amount of data is coming.

0 Karma
1 Solution

arjunpkishore5
Motivator

You cannot have variable time ranges or parameters on a scheduled saved search.

I think you slightly need to change your strategy here. Considering that you have large amount of data and that your time range needs to be variable,
1. Use your scheduled search to summarize to a summary index.
2. In your dashboard, query on the summary index.
3. (Optional) Depending on your use case, you could also then consider using a "base search" on your summary index in the dashboard to speed up things further.

If you still want to continue using scheduled searches on your dashboard, you can partially do it. However, you cannot work around the time ranges in an easy way. So without variable time range,
1. schedule your saved search for all hosts
2. in your dashboard, use loadjob to load your savedsearch and then filter the host

| loadjob sid
| search host IN ($selected_hosts$)

Hope this helps.

Cheers.

View solution in original post

0 Karma

arjunpkishore5
Motivator

You cannot have variable time ranges or parameters on a scheduled saved search.

I think you slightly need to change your strategy here. Considering that you have large amount of data and that your time range needs to be variable,
1. Use your scheduled search to summarize to a summary index.
2. In your dashboard, query on the summary index.
3. (Optional) Depending on your use case, you could also then consider using a "base search" on your summary index in the dashboard to speed up things further.

If you still want to continue using scheduled searches on your dashboard, you can partially do it. However, you cannot work around the time ranges in an easy way. So without variable time range,
1. schedule your saved search for all hosts
2. in your dashboard, use loadjob to load your savedsearch and then filter the host

| loadjob sid
| search host IN ($selected_hosts$)

Hope this helps.

Cheers.

0 Karma

ips_mandar
Builder

This makes sense to me..Thank a lot @arjunpkishore5

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...