Splunk Search

Using saved search results on a dashboard not working

jstockamp
Communicator

I've got a saved search configured on a schedule and if I click on "view recent" I can see recent runs and if I click on a run I can see the report output. Now when I try to add this saved search to a dashboard, it's still trying running the search as if there were no saved results available. Where should I start troubleshooting?

1 Solution

ben_leung
Builder

Also facing this issue. Currently on Splunk version 6.0.5

Some panels are pulling the search results of scheduled searches, while some are not.
From the configs below, the panel for Dashboard1 is acting as if it is an inline search.
Dashboard2 panel is working as expected.

<dashboard> 
<label>Testing Dashboard</label>
<description/>
<row>
<chart>
<title>Dashboard1</title>
<searchName>dashboard_search1</searchName>
<option name="charting.chart.showLabels">false</option>
<option name="height">100px</option>
<drilldown target="_blank">
<link>
<![CDATA[/app/search/dashboard1]]>
</link>
</drilldown>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.fieldColors">{"NOT Reporting": 0xFF0000, "Reporting": 0x84E900}</option>
</chart>

<chart>
<title>Dashboard2</title>
<searchName>dashboard_search2</searchName>
<option name="charting.chart.showLabels">false</option>
<option name="height">100px</option>
<drilldown target="_blank">
<link>
<![CDATA[/app/search/dashboard2]]>
</link>
</drilldown>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.fieldColors">{"NOT Reporting": 0xFF0000, "Reporting": 0x84E900}</option>
</chart>
</row>
</dashboard>

The saved searches dot conf of the search is below.

[dashboard_search1]
action.email.inline = 1
action.email.sendresults = 1
action.email.to = my_email@domain.com
alert.digest_mode = True
alert.expires = 2h
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = 1 * * * *
dispatch.earliest_time = -48h
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.visualizations.charting.chart = pie
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_view = search
search = index=_internal sourcetype=splunkd | chart max(field_a) as "NOT Reporting" max(field_b) as "Reporting"

[dashboard_search2]
action.email.inline = 1
alert.digest_mode = True
alert.expires = 2h
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 * * * *
dispatch.earliest_time = -48h@h
dispatch.latest_time = now
display.general.type = visualizations
display.visualizations.charting.chart = pie
enableSched = 1
search = index=_internal sourcetype=splunkd | chart max(field_x) as "NOT Reporting" max(field_y) as "Reporting"

View solution in original post

ben_leung
Builder

Also facing this issue. Currently on Splunk version 6.0.5

Some panels are pulling the search results of scheduled searches, while some are not.
From the configs below, the panel for Dashboard1 is acting as if it is an inline search.
Dashboard2 panel is working as expected.

<dashboard> 
<label>Testing Dashboard</label>
<description/>
<row>
<chart>
<title>Dashboard1</title>
<searchName>dashboard_search1</searchName>
<option name="charting.chart.showLabels">false</option>
<option name="height">100px</option>
<drilldown target="_blank">
<link>
<![CDATA[/app/search/dashboard1]]>
</link>
</drilldown>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.fieldColors">{"NOT Reporting": 0xFF0000, "Reporting": 0x84E900}</option>
</chart>

<chart>
<title>Dashboard2</title>
<searchName>dashboard_search2</searchName>
<option name="charting.chart.showLabels">false</option>
<option name="height">100px</option>
<drilldown target="_blank">
<link>
<![CDATA[/app/search/dashboard2]]>
</link>
</drilldown>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.fieldColors">{"NOT Reporting": 0xFF0000, "Reporting": 0x84E900}</option>
</chart>
</row>
</dashboard>

The saved searches dot conf of the search is below.

[dashboard_search1]
action.email.inline = 1
action.email.sendresults = 1
action.email.to = my_email@domain.com
alert.digest_mode = True
alert.expires = 2h
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = 1 * * * *
dispatch.earliest_time = -48h
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.visualizations.charting.chart = pie
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_view = search
search = index=_internal sourcetype=splunkd | chart max(field_a) as "NOT Reporting" max(field_b) as "Reporting"

[dashboard_search2]
action.email.inline = 1
alert.digest_mode = True
alert.expires = 2h
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 * * * *
dispatch.earliest_time = -48h@h
dispatch.latest_time = now
display.general.type = visualizations
display.visualizations.charting.chart = pie
enableSched = 1
search = index=_internal sourcetype=splunkd | chart max(field_x) as "NOT Reporting" max(field_y) as "Reporting"

ben_leung
Builder

Raised support ticket Case 225591 BUG: Using saved search results on a dashboard not working

splunkIT
Splunk Employee
Splunk Employee

This issue turns out to be related to a known bug (SPL-81969: Schedule saved pivot jobs are not retained, and not accessible via the history endpoint). The bug has been fixed in splunk 6.1 or later versions.

0 Karma

goelli
Communicator

Any news on this?

0 Karma

Wilcooley
Path Finder

I was having the same problem and I think I might have found the solution: Remove "request.ui_dispatch_view = report_builder_display" and see if that makes it work (I think you'll have to restart too).

This seems to work best when you're interactively creating the report (if you are) if you schedule the search then. Saving the report and search but not scheduling the search and then going into "Saved Searches" and scheduling seems to not work. (I am not sure what happens if the saved search already exists and is scheduled.)

jstockamp
Communicator

Here's the Simple XML:

    <?xml version='1.0' encoding='utf-8'?>
<dashboard>
  <label>Yesterday - Overview</label>
  <row>
    <chart>
      <searchName>rpt_All_Yesterday_Bandwidth_by_Product</searchName>
      <title>Bandwidth by Product</title>
         <option name="charting.chart">line</option>
    </chart>
  </row>
  <row>
    <chart>
      <searchName>rpt_All_Yesterday_Hits_by_Product</searchName>
      <title>Hits by Product</title>
    </chart>
  </row>
</dashboard>

And here's the configuration from /opt/splunk/etc/apps/$MY_APP/local/savedsearches.conf

[rpt_All_Yesterday_Hits_by_Product]
action.email.inline = 1
alert.suppress = 0
alert.track = 0
cron_schedule = 0 1 * * *
dispatch.earliest_time = -1d@d
dispatch.latest_time = @d
displayview = report_builder_display
enableSched = 1
realtime_schedule = 0
request.ui_dispatch_view = report_builder_display
search = eventtype="evt_all"| timechart count(linecount) as Hits by product
vsid = *:goolxglv

[rpt_All_Yesterday_Bandwidth_by_Product]
action.email.inline = 1
alert.suppress = 0
alert.track = 1
cron_schedule = 0 1 * * *
dispatch.earliest_time = -1d@d
dispatch.latest_time = @d
enableSched = 1
search = eventtype="evt_all"| eval MB=coalesce(sc_bytes,bytes)/1024/1024 | timec
hart sum(MB) as TotalMB by product
vsid = *:xa3buy0h
disabled = 0

Let me know if you need anything else.

Ant1D
Motivator

From what I can see, there doesn't seem to be anything wrong with your code. when I first read your description, I thought that your dashboard was not loading results at all. Generally, if you reference a saved search in a dashboard as you have done above, it will attempt to run the saved search so there will be some loading time. However, it is generally faster to load a scheduled saved search than to run a search from scratch (using the searchString tags)

0 Karma

jstockamp
Communicator

No one has any ideas where to start troubleshooting? Haven't heard anything back on my open support case either.

Ant1D
Motivator

A good place to start troubleshooting is by reviewing the xml code for your dashboard that has this saved search added to it. Post up an extract of this code. Also, what are the configured settings for when this saved search is scheduled to run?

0 Karma

Ant1D
Motivator

Can you post an extract of your code? It will help for troubleshooting. Thanks

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...