Savedsearch shows up in Job Management as search s...

essklau · ‎07-15-2014

Hi,

I have a search

index=net earliest=-1d@d latest=@d sourcetype=cisco_asa "*TEARDOWN*"  transport!=ICMP src_ip=10.0.0.0/8 AND dest_ip!=10.0.0.0/8|localop|lookup dnsLookup ip as dest_ip OUTPUTNEW host as hostname |eval Endpoints=src_ip.":".src_port." to ".dest_ip.":".dest_port." (".hostname.")" | eval MB=(bytes_in/1024/1024) | stats max(MB) as "Connection Size(MB)" by Endpoints|rename "Endpoints" as "Source IP:Port to Dest IP:Port" |sort - "Connection Size(MB)" limit=25

which is scheduled to run once/day. When it does run, it shows up in the Jobs panel as the search string, rather than the name it is saved as. I feel like this might be a clue in a larger troubleshoot i'm trying to do. Has anyone seen this before?

Bigger picture: the search results don't load my dashboard, unlike all other dashboards including one extremely similar search.

Thanks

jimodonald · ‎07-15-2014

I've seen similar behavior on 6.1.1 when I moved a dashboard using saved searches to a different search head. To fix it, i converted the dashboard to Advanced XML and it worked. Unfortunately I can't say why it works that way and I have not ranked it important enough to open a ticket with Splunk.

Try making an Advanced XML version of your dashboard and see if that works. I'll be interested to hear if your results match mine.

Savedsearch shows up in Job Management as search string rather than what the search is saved as.

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!