Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Could not find a job in the saved search history.

jamesaarondevli
Path Finder
‎04-11-2011 12:20 AM

Hi,

I am trying to implement a dropdown populated with the history of a saved search.

Below is the code I am using to try and achieve this:

<module name="SearchSelectLister" >
  <param name="label">AM Filter (descending usage)</param>
  <param name="savedSearch">Access_Manager_Accounts</param>
  <param name="useHistory">true</param>
  <param name="searchWhenChanged">false</param>
  <param name="settingToCreate">dropdownAMAccountSelection</param>

I have run a backfill to capture the relevant data in the saved search's history. When I review the Jobs page I can see one entry with results. This entry has been finalized and saved.

What I would expect to happen is the dropdown would be populated with the results of this loosely represented search.

index="myindex01" | search INLINK_SPLIT="false" | dedup field1, field2, field3 | timechart span=1h count | fields INLINK

However rather than this occurring when I open the report I get the below.

"Could not find a job in the saved search "Access_Manager_Accounts" history.

Does anyone have any ideas as to why the view wouldn't be able to pick up the history of the saved search?

If further XML is required, please let me know.

Appreciate the help 🙂

Tags (2)
Reply

sideview
SplunkTrust
SplunkTrust
‎04-11-2011 07:03 PM

This is unintuitive, but merely running a saved search from the user interface does NOT create an entry in that saved search's "history". Only the scheduler can populate the official history.

So the given saved search, although set to run on a schedule, has not actually run its first scheduled job yet.

One quick and dirty way to workaround this, at least while developing a view or a dashboard, is to set the schedule to 'every minute', wait a minute, then set it back to whatever your proper schedule was... Then you'll have a placeholder job to hold you over until the real job runs at 2AM or whenever.

More Notes:

'backfill' is term that I've only seen used in regards to Splunk's summary indexing feature, which is different from search-scheduling.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎04-11-2011 02:09 AM

You need to set useHistory to Auto (the default), or just remove it. Setting it to true requires that a previous instance of the job be run, saved, in the scope of the UI module (i.e., in the same app or exported to system), and readable by the user viewing the UI module. Is all of this true?

0 Karma
Reply

sbsbb
Builder
‎07-21-2013 05:17 AM

I've the same Problem, my view doesn't find the save search, even if :
- the name is ok
- the app ist the same for search and view
- search was launched by the scheduler...

0 Karma
Reply

jamesaarondevli
Path Finder
‎04-11-2011 02:22 AM

Hi gkanapathy,

I've checked those criteria and they are in place.
Swapped the useHistory parameter over to auto results in the dropdown field being blank. I suppose splunk is not detecting the backfill job for which I saved the results and setting the dropdown to empty.

Thanks heaps for the response though.

At this stage I am considering placing all of data required by the report in a summary index. This will mean I can quickly populate the dropdown using an inline search string.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...