Reporting

use of schedule search in dashboard

ips_mandar
Builder

I have dashboard which has user input to select host (from dropdown) and timerange-
since its big search I was thinking to create scheduled saved search which will run periodically and this saved search will be referred in dashboard .
1. since in dashboard I have dropdown to select host so while writing scheduled saved search I need to mention host=* in query to run for all host?
2. and if I am running saved search on last 3 days periodically but in my dashboard if I select timerange as last 7 days then does it will rerun the search over last 7 days or how it will work?
Please clarify above points.
Note-I have multiple host and from each host high amount of data is coming.

0 Karma
1 Solution

arjunpkishore5
Motivator

You cannot have variable time ranges or parameters on a scheduled saved search.

I think you slightly need to change your strategy here. Considering that you have large amount of data and that your time range needs to be variable,
1. Use your scheduled search to summarize to a summary index.
2. In your dashboard, query on the summary index.
3. (Optional) Depending on your use case, you could also then consider using a "base search" on your summary index in the dashboard to speed up things further.

If you still want to continue using scheduled searches on your dashboard, you can partially do it. However, you cannot work around the time ranges in an easy way. So without variable time range,
1. schedule your saved search for all hosts
2. in your dashboard, use loadjob to load your savedsearch and then filter the host

| loadjob sid
| search host IN ($selected_hosts$)

Hope this helps.

Cheers.

View solution in original post

0 Karma

arjunpkishore5
Motivator

You cannot have variable time ranges or parameters on a scheduled saved search.

I think you slightly need to change your strategy here. Considering that you have large amount of data and that your time range needs to be variable,
1. Use your scheduled search to summarize to a summary index.
2. In your dashboard, query on the summary index.
3. (Optional) Depending on your use case, you could also then consider using a "base search" on your summary index in the dashboard to speed up things further.

If you still want to continue using scheduled searches on your dashboard, you can partially do it. However, you cannot work around the time ranges in an easy way. So without variable time range,
1. schedule your saved search for all hosts
2. in your dashboard, use loadjob to load your savedsearch and then filter the host

| loadjob sid
| search host IN ($selected_hosts$)

Hope this helps.

Cheers.

0 Karma

ips_mandar
Builder

This makes sense to me..Thank a lot @arjunpkishore5

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...