- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- use of schedule search in dashboard
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have dashboard which has user input to select host (from dropdown) and timerange-
since its big search I was thinking to create scheduled saved search which will run periodically and this saved search will be referred in dashboard .
1. since in dashboard I have dropdown to select host so while writing scheduled saved search I need to mention host=* in query to run for all host?
2. and if I am running saved search on last 3 days periodically but in my dashboard if I select timerange as last 7 days then does it will rerun the search over last 7 days or how it will work?
Please clarify above points.
Note-I have multiple host and from each host high amount of data is coming.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot have variable time ranges or parameters on a scheduled saved search.
I think you slightly need to change your strategy here. Considering that you have large amount of data and that your time range needs to be variable,
1. Use your scheduled search to summarize to a summary index.
2. In your dashboard, query on the summary index.
3. (Optional) Depending on your use case, you could also then consider using a "base search" on your summary index in the dashboard to speed up things further.
If you still want to continue using scheduled searches on your dashboard, you can partially do it. However, you cannot work around the time ranges in an easy way. So without variable time range,
1. schedule your saved search for all hosts
2. in your dashboard, use loadjob to load your savedsearch and then filter the host
| loadjob sid
| search host IN ($selected_hosts$)
Hope this helps.
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot have variable time ranges or parameters on a scheduled saved search.
I think you slightly need to change your strategy here. Considering that you have large amount of data and that your time range needs to be variable,
1. Use your scheduled search to summarize to a summary index.
2. In your dashboard, query on the summary index.
3. (Optional) Depending on your use case, you could also then consider using a "base search" on your summary index in the dashboard to speed up things further.
If you still want to continue using scheduled searches on your dashboard, you can partially do it. However, you cannot work around the time ranges in an easy way. So without variable time range,
1. schedule your saved search for all hosts
2. in your dashboard, use loadjob to load your savedsearch and then filter the host
| loadjob sid
| search host IN ($selected_hosts$)
Hope this helps.
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This makes sense to me..Thank a lot @arjunpkishore5
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
