Dashboards & Visualizations

How can I use scheduled savedsearch results in a dashboard?

Glenn
Builder

Sorry this is a long question - don't be intimidated most of it is just examples of stuff that doesn't work...

I am trying to create a morning check dashboard with 20 searches. I wanted to schedule these searches for three reasons: The results will show up faster, I know the data will be from a certain time, and my users won't get the error about running too many concurrent searches.

I have created the 20 saved searches, scheduled them for the appropriate time and added them to the dashboard. However, when users access the dashboard, it ALWAYS runs the saved search again. This means that the time period is all wrong and makes the dashboard not useful.

I can see the previous job history for the time that the search was scheduled in the job manager and even recall the cached results by clicking through to that search from the job manager. Their expire time is well long enough to cover the time that the dashboard is accessed. Accessing the dashboard results in new jobs appearing in the job manager, in addition to the scheduled ones, confirming that it is being run again.

I have tried to add a dispatch.ttl = 1p to the saved search to ensure the results are cached for long enough. An example of my saved search is this:

[MS_netapp_mornchk_bnprdfls011]
cron_schedule = 30 6 * * *
description = Used in the MS team's netapp checks dashboards
dispatch.earliest_time = -810m@m
dispatch.latest_time = now
dispatch.ttl = 1p
displayview = flashtimeline
enableSched = 1
request.ui_dispatch_view = flashtimeline
search = sourcetype="syslog_forward" tag::host="netapp" host="bnprdfls011.igi.ig.local" NOT eventtype=netapp_ignore AND NOT msgsev=info

I have tried to add the search to the dashboard in simple and advanced xml, same results:

  <row>
    <table>
      <searchName>MS_netapp_mornchk_bnprdfls011</searchName>
      <title>bnprdfls011.igi.ig.local</title>
      <fields>_time, msgsev, msgtype, msgtext</fields>
      <option name="drilldown">row</option>
      <option name="count">20</option>
      <option name="showPager">true</option>
      <option name="displayRowNumbers">false</option>
    </table>
  </row>

AND

  <module name="HiddenSavedSearch" layoutPanel="panel_row1_col1" group="bnprdfls011.igi.ig.local" autoRun="True">
    <param name="savedSearch">MS_netapp_mornchk_bnprdfls011</param>
    <param name="useHistory">"True"</param>
    <param name="groupLabel">bnprdfls011.igi.ig.local</param>
    <module name="ViewstateAdapter">
      <param name="savedSearch">MS_netapp_mornchk_bnprdfls011</param>
      <module name="HiddenFieldPicker">
        <param name="fields">_time,msgsev,msgtype,msgtext</param>
        <param name="strictMode">True</param>
        <module name="JobProgressIndicator"/>
        <module name="Paginator">
          <param name="count">20</param>
          <param name="entityName">results</param>
          <module name="EnablePreview">
            <param name="enable">True</param>
            <param name="display">False</param>
            <module name="SimpleResultsTable">
              <param name="count">20</param>
              <param name="drilldown">row</param>
              <param name="allowTransformedFieldSelect">True</param>
              <param name="displayRowNumbers">false</param>
              <module name="ConvertToDrilldownSearch">
                <module name="ViewRedirector">
                  <param name="viewTarget">flashtimeline</param>
                </module>
              </module>
            </module>
            <module name="ViewRedirectorLink">
              <param name="viewTarget">flashtimeline</param>
            </module>
          </module>
        </module>
      </module>
    </module>
  </module>

What am I doing wrong?

JL99
Explorer

Hi,

If anyone come across this thread, could refer to Option 2 in this thread  "How to store results of searches in Dashboard?"  in order to achieve something similar. Build Report with loadjob  from "Saved Scheduled Search(es)".

loadjob
"Loads events or results of a previously completed search job. The artifacts to load are identified either by the search job id <sid> or a scheduled search name and the time range of the current search. If a saved search name is provided and multiple artifacts are found within that range, the latest artifacts are loaded."


Happy Splunking!

0 Karma

grantjansen
Explorer

Better late than never.

If your scheduled searches are executing at the time you load/refresh the dashboard, then the dashboard panel will pick up the current execution showing the "Loading xx%" bar at the bottom.

Check your searches and ensure they are not running longer than your desired refresh rate or if they are still running at the time the dashboard is loaded up typically.

0 Karma

raziasaduddin
Path Finder

1) have you tried the loadjob command?

2) I am trying to build a link to the scheduled search results akin to what the job mgmt screen does:

| rest /services/search/jobs | search dispatchState="DONE" delegate="scheduler"
| eval url="https://splunkserver:port/en-US/app/search/flashtimeline?sid="+sid

You also might have to edit the local.meta file to change the scheduled search to be owned by "nobody" for everyone to have access to the results.

0 Karma

lguinn2
Legend

Can you login as one of the users, and then check to see if you can see the cached search results?

My guess is that the saved results are private, and therefore the users can't read them.

0 Karma

Glenn
Builder

Sorry, no. I pretty much just gave up on it and the dashboard just runs searches at load time instead of using the cache.

0 Karma

tonopahtaos
Path Finder

Any update on this?

0 Karma

Glenn
Builder

It doesn't even work for me - I created, saved and scheduled the searches, built the dashboard and accessed it all as my own user, so permissions to my own searches shouldn't be the problem.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...