I've got a saved search configured on a schedule and if I click on "view recent" I can see recent runs and if I click on a run I can see the report output. Now when I try to add this saved search to a dashboard, it's still trying running the search as if there were no saved results available. Where should I start troubleshooting?
Also facing this issue. Currently on Splunk version 6.0.5
Some panels are pulling the search results of scheduled searches, while some are not.
From the configs below, the panel for Dashboard1 is acting as if it is an inline search.
Dashboard2 panel is working as expected.
<dashboard>
<label>Testing Dashboard</label>
<description/>
<row>
<chart>
<title>Dashboard1</title>
<searchName>dashboard_search1</searchName>
<option name="charting.chart.showLabels">false</option>
<option name="height">100px</option>
<drilldown target="_blank">
<link>
<![CDATA[/app/search/dashboard1]]>
</link>
</drilldown>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.fieldColors">{"NOT Reporting": 0xFF0000, "Reporting": 0x84E900}</option>
</chart>
<chart>
<title>Dashboard2</title>
<searchName>dashboard_search2</searchName>
<option name="charting.chart.showLabels">false</option>
<option name="height">100px</option>
<drilldown target="_blank">
<link>
<![CDATA[/app/search/dashboard2]]>
</link>
</drilldown>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.fieldColors">{"NOT Reporting": 0xFF0000, "Reporting": 0x84E900}</option>
</chart>
</row>
</dashboard>
The saved searches dot conf of the search is below.
[dashboard_search1]
action.email.inline = 1
action.email.sendresults = 1
action.email.to = my_email@domain.com
alert.digest_mode = True
alert.expires = 2h
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = 1 * * * *
dispatch.earliest_time = -48h
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.visualizations.charting.chart = pie
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_view = search
search = index=_internal sourcetype=splunkd | chart max(field_a) as "NOT Reporting" max(field_b) as "Reporting"
[dashboard_search2]
action.email.inline = 1
alert.digest_mode = True
alert.expires = 2h
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 * * * *
dispatch.earliest_time = -48h@h
dispatch.latest_time = now
display.general.type = visualizations
display.visualizations.charting.chart = pie
enableSched = 1
search = index=_internal sourcetype=splunkd | chart max(field_x) as "NOT Reporting" max(field_y) as "Reporting"
Also facing this issue. Currently on Splunk version 6.0.5
Some panels are pulling the search results of scheduled searches, while some are not.
From the configs below, the panel for Dashboard1 is acting as if it is an inline search.
Dashboard2 panel is working as expected.
<dashboard>
<label>Testing Dashboard</label>
<description/>
<row>
<chart>
<title>Dashboard1</title>
<searchName>dashboard_search1</searchName>
<option name="charting.chart.showLabels">false</option>
<option name="height">100px</option>
<drilldown target="_blank">
<link>
<![CDATA[/app/search/dashboard1]]>
</link>
</drilldown>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.fieldColors">{"NOT Reporting": 0xFF0000, "Reporting": 0x84E900}</option>
</chart>
<chart>
<title>Dashboard2</title>
<searchName>dashboard_search2</searchName>
<option name="charting.chart.showLabels">false</option>
<option name="height">100px</option>
<drilldown target="_blank">
<link>
<![CDATA[/app/search/dashboard2]]>
</link>
</drilldown>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.chart">pie</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
<option name="charting.fieldColors">{"NOT Reporting": 0xFF0000, "Reporting": 0x84E900}</option>
</chart>
</row>
</dashboard>
The saved searches dot conf of the search is below.
[dashboard_search1]
action.email.inline = 1
action.email.sendresults = 1
action.email.to = my_email@domain.com
alert.digest_mode = True
alert.expires = 2h
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
counttype = number of events
cron_schedule = 1 * * * *
dispatch.earliest_time = -48h
dispatch.latest_time = now
display.general.timeRangePicker.show = 0
display.general.type = visualizations
display.visualizations.charting.chart = pie
enableSched = 1
quantity = 0
relation = greater than
request.ui_dispatch_view = search
search = index=_internal sourcetype=splunkd | chart max(field_a) as "NOT Reporting" max(field_b) as "Reporting"
[dashboard_search2]
action.email.inline = 1
alert.digest_mode = True
alert.expires = 2h
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 0 * * * *
dispatch.earliest_time = -48h@h
dispatch.latest_time = now
display.general.type = visualizations
display.visualizations.charting.chart = pie
enableSched = 1
search = index=_internal sourcetype=splunkd | chart max(field_x) as "NOT Reporting" max(field_y) as "Reporting"
Raised support ticket Case 225591 BUG: Using saved search results on a dashboard not working
This issue turns out to be related to a known bug (SPL-81969: Schedule saved pivot jobs are not retained, and not accessible via the history endpoint). The bug has been fixed in splunk 6.1 or later versions.
Any news on this?
I was having the same problem and I think I might have found the solution: Remove "request.ui_dispatch_view = report_builder_display"
and see if that makes it work (I think you'll have to restart too).
This seems to work best when you're interactively creating the report (if you are) if you schedule the search then. Saving the report and search but not scheduling the search and then going into "Saved Searches" and scheduling seems to not work. (I am not sure what happens if the saved search already exists and is scheduled.)
Here's the Simple XML:
<?xml version='1.0' encoding='utf-8'?>
<dashboard>
<label>Yesterday - Overview</label>
<row>
<chart>
<searchName>rpt_All_Yesterday_Bandwidth_by_Product</searchName>
<title>Bandwidth by Product</title>
<option name="charting.chart">line</option>
</chart>
</row>
<row>
<chart>
<searchName>rpt_All_Yesterday_Hits_by_Product</searchName>
<title>Hits by Product</title>
</chart>
</row>
</dashboard>
And here's the configuration from /opt/splunk/etc/apps/$MY_APP/local/savedsearches.conf
[rpt_All_Yesterday_Hits_by_Product] action.email.inline = 1 alert.suppress = 0 alert.track = 0 cron_schedule = 0 1 * * * dispatch.earliest_time = -1d@d dispatch.latest_time = @d displayview = report_builder_display enableSched = 1 realtime_schedule = 0 request.ui_dispatch_view = report_builder_display search = eventtype="evt_all"| timechart count(linecount) as Hits by product vsid = *:goolxglv [rpt_All_Yesterday_Bandwidth_by_Product] action.email.inline = 1 alert.suppress = 0 alert.track = 1 cron_schedule = 0 1 * * * dispatch.earliest_time = -1d@d dispatch.latest_time = @d enableSched = 1 search = eventtype="evt_all"| eval MB=coalesce(sc_bytes,bytes)/1024/1024 | timec hart sum(MB) as TotalMB by product vsid = *:xa3buy0h disabled = 0
Let me know if you need anything else.
From what I can see, there doesn't seem to be anything wrong with your code. when I first read your description, I thought that your dashboard was not loading results at all. Generally, if you reference a saved search in a dashboard as you have done above, it will attempt to run the saved search so there will be some loading time. However, it is generally faster to load a scheduled saved search than to run a search from scratch (using the searchString tags)
No one has any ideas where to start troubleshooting? Haven't heard anything back on my open support case either.
A good place to start troubleshooting is by reviewing the xml code for your dashboard that has this saved search added to it. Post up an extract of this code. Also, what are the configured settings for when this saved search is scheduled to run?
Can you post an extract of your code? It will help for troubleshooting. Thanks