Sorry this is a long question - don't be intimidated most of it is just examples of stuff that doesn't work...
I am trying to create a morning check dashboard with 20 searches. I wanted to schedule these searches for three reasons: The results will show up faster, I know the data will be from a certain time, and my users won't get the error about running too many concurrent searches.
I have created the 20 saved searches, scheduled them for the appropriate time and added them to the dashboard. However, when users access the dashboard, it ALWAYS runs the saved search again. This means that the time period is all wrong and makes the dashboard not useful.
I can see the previous job history for the time that the search was scheduled in the job manager and even recall the cached results by clicking through to that search from the job manager. Their expire time is well long enough to cover the time that the dashboard is accessed. Accessing the dashboard results in new jobs appearing in the job manager, in addition to the scheduled ones, confirming that it is being run again.
I have tried to add a dispatch.ttl = 1p to the saved search to ensure the results are cached for long enough. An example of my saved search is this:
[MS_netapp_mornchk_bnprdfls011]
cron_schedule = 30 6 * * *
description = Used in the MS team's netapp checks dashboards
dispatch.earliest_time = -810m@m
dispatch.latest_time = now
dispatch.ttl = 1p
displayview = flashtimeline
enableSched = 1
request.ui_dispatch_view = flashtimeline
search = sourcetype="syslog_forward" tag::host="netapp" host="bnprdfls011.igi.ig.local" NOT eventtype=netapp_ignore AND NOT msgsev=info
I have tried to add the search to the dashboard in simple and advanced xml, same results:
<row>
<table>
<searchName>MS_netapp_mornchk_bnprdfls011</searchName>
<title>bnprdfls011.igi.ig.local</title>
<fields>_time, msgsev, msgtype, msgtext</fields>
<option name="drilldown">row</option>
<option name="count">20</option>
<option name="showPager">true</option>
<option name="displayRowNumbers">false</option>
</table>
</row>
AND
<module name="HiddenSavedSearch" layoutPanel="panel_row1_col1" group="bnprdfls011.igi.ig.local" autoRun="True">
<param name="savedSearch">MS_netapp_mornchk_bnprdfls011</param>
<param name="useHistory">"True"</param>
<param name="groupLabel">bnprdfls011.igi.ig.local</param>
<module name="ViewstateAdapter">
<param name="savedSearch">MS_netapp_mornchk_bnprdfls011</param>
<module name="HiddenFieldPicker">
<param name="fields">_time,msgsev,msgtype,msgtext</param>
<param name="strictMode">True</param>
<module name="JobProgressIndicator"/>
<module name="Paginator">
<param name="count">20</param>
<param name="entityName">results</param>
<module name="EnablePreview">
<param name="enable">True</param>
<param name="display">False</param>
<module name="SimpleResultsTable">
<param name="count">20</param>
<param name="drilldown">row</param>
<param name="allowTransformedFieldSelect">True</param>
<param name="displayRowNumbers">false</param>
<module name="ConvertToDrilldownSearch">
<module name="ViewRedirector">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
<module name="ViewRedirectorLink">
<param name="viewTarget">flashtimeline</param>
</module>
</module>
</module>
</module>
</module>
</module>
What am I doing wrong?
Hi,
If anyone come across this thread, could refer to Option 2 in this thread "How to store results of searches in Dashboard?" in order to achieve something similar. Build Report with loadjob from "Saved Scheduled Search(es)".
loadjob
"Loads events or results of a previously completed search job. The artifacts to load are identified either by the search job id <sid> or a scheduled search name and the time range of the current search. If a saved search name is provided and multiple artifacts are found within that range, the latest artifacts are loaded."
Happy Splunking!
Better late than never.
If your scheduled searches are executing at the time you load/refresh the dashboard, then the dashboard panel will pick up the current execution showing the "Loading xx%" bar at the bottom.
Check your searches and ensure they are not running longer than your desired refresh rate or if they are still running at the time the dashboard is loaded up typically.
1) have you tried the loadjob command?
2) I am trying to build a link to the scheduled search results akin to what the job mgmt screen does:
| rest /services/search/jobs | search dispatchState="DONE" delegate="scheduler"
| eval url="https://splunkserver:port/en-US/app/search/flashtimeline?sid="+sid
You also might have to edit the local.meta file to change the scheduled search to be owned by "nobody" for everyone to have access to the results.
Can you login as one of the users, and then check to see if you can see the cached search results?
My guess is that the saved results are private, and therefore the users can't read them.
Sorry, no. I pretty much just gave up on it and the dashboard just runs searches at load time instead of using the cache.
Any update on this?
It doesn't even work for me - I created, saved and scheduled the searches, built the dashboard and accessed it all as my own user, so permissions to my own searches shouldn't be the problem.