some scheduled saved searches not saved

wojtek_swiatek · ‎10-21-2013

Hello,

I have on the same dashboard a few searches, all scheduled, out of which half are not actually saved (when opening the dashboard some of the panels appear immediately with a "... hours ago" while others's search is run only at that time).

They look similar in the configuration. For instance this one is scheduled & correctly saved

[Panel 1]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 0
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 25 06 * * *
dispatch.earliest_time = -3mon@mon
dispatch.latest_time = now
displayview = flashtimeline
enableSched = 1
request.ui_dispatch_view = flashtimeline
search = (the search query goes here)
vsid = hfm8s3w8

while that one is not

[Panel 2]
action.email.inline = 1
alert.digest_mode = True
alert.suppress = 0
alert.track = 1
auto_summarize.dispatch.earliest_time = -1d@h
cron_schedule = 50 6 * * *
dispatch.earliest_time = -90d@d
dispatch.latest_time = now
enableSched = 1
search = (search query goes here)

They were both created via the GUI, not directly coded into the savedsearches.conf file.

Thank you for any insights!

jtrucks · ‎10-21-2013

It is possible to use a search in a dashboard that is not in the saved searches list. If you created the search within the dashboard, or altered the search parameters within the dashboard context and did not change the original saved search, then that search would not be shown in the saved searches list.

Also, your missing search may be in the $SPLUNKHOME/users/username/appname/local/savedsearches.conf file not in the $SPLUNKHOME/etc/apps/appname/local/savedsearches.conf file.

--
Jesse Trucks
Minister of Magic

some scheduled saved searches not saved

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases