- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- jobs page search results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed when recalling a saved search from the jobs page, I can only view the results if I have some sort of formatting on the end of my search string, such as “ | stats count by host.” If my saved search equals ex… “sourcetype=syslog” , the timeline fills in but no results are returned. Thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is because your events are not actually stored in all cases. (If you switch from the results view to the "Events" view when you open a job, you will see that the events are missing there too.)
You can manually change this by adjusting the dispatch.buckets value. This is 0 by default for saved searches (and 300 for interactive searches). This is 0 for saved searches beacause you don't need interactive feedback as the job runs, which does allow it to run faster in the background, the downside it that you don't get any timeline info and the actual events are not stored. If you want to change this for a specific search, you can find your saved search in savedsearches.conf and add an entry like this:
[your_saved_search_name]
...
dispatch.buckets = 300
...
Alternately, I often just find it more convenient to re-run the search. All the parameters are already set for you, just just have hit the green search arrow. (Of course if this is a big search, than this can be an expensive operation.)
From the savedsearches.conf doc:
dispatch.buckets = <integer>
- The maximum number of timeline buckets.
- Defaults to 0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is because your events are not actually stored in all cases. (If you switch from the results view to the "Events" view when you open a job, you will see that the events are missing there too.)
You can manually change this by adjusting the dispatch.buckets value. This is 0 by default for saved searches (and 300 for interactive searches). This is 0 for saved searches beacause you don't need interactive feedback as the job runs, which does allow it to run faster in the background, the downside it that you don't get any timeline info and the actual events are not stored. If you want to change this for a specific search, you can find your saved search in savedsearches.conf and add an entry like this:
[your_saved_search_name]
...
dispatch.buckets = 300
...
Alternately, I often just find it more convenient to re-run the search. All the parameters are already set for you, just just have hit the green search arrow. (Of course if this is a big search, than this can be an expensive operation.)
From the savedsearches.conf doc:
dispatch.buckets = <integer>
- The maximum number of timeline buckets.
- Defaults to 0.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I added a link to the docs. If you feel like it should be explained better or in more details, feel free to email the people who maintain the docs with your thoughts or ideas. Their email is docs@splunk.com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response, and good advice. Your suggestion worked great! This should be mentioned in the Splunk documentation but like many other things, it's not.
Bridging the Gap: Splunk Helps Students Move from Classroom to Career
Preparing your Splunk Environment for OpenSSL3
Unleash Unified Security and Observability with Splunk Cloud Platform
