Reporting

jobs page search results

carmackd
Communicator

I noticed when recalling a saved search from the jobs page, I can only view the results if I have some sort of formatting on the end of my search string, such as “ | stats count by host.” If my saved search equals ex… “sourcetype=syslog” , the timeline fills in but no results are returned. Thoughts?

Tags (1)
1 Solution

Lowell
Super Champion

This is because your events are not actually stored in all cases. (If you switch from the results view to the "Events" view when you open a job, you will see that the events are missing there too.)

You can manually change this by adjusting the dispatch.buckets value. This is 0 by default for saved searches (and 300 for interactive searches). This is 0 for saved searches beacause you don't need interactive feedback as the job runs, which does allow it to run faster in the background, the downside it that you don't get any timeline info and the actual events are not stored. If you want to change this for a specific search, you can find your saved search in savedsearches.conf and add an entry like this:

[your_saved_search_name]
...
dispatch.buckets = 300
...

Alternately, I often just find it more convenient to re-run the search. All the parameters are already set for you, just just have hit the green search arrow. (Of course if this is a big search, than this can be an expensive operation.)


From the savedsearches.conf doc:

dispatch.buckets = <integer>

  • The maximum number of timeline buckets.
  • Defaults to 0.

View solution in original post

Lowell
Super Champion

This is because your events are not actually stored in all cases. (If you switch from the results view to the "Events" view when you open a job, you will see that the events are missing there too.)

You can manually change this by adjusting the dispatch.buckets value. This is 0 by default for saved searches (and 300 for interactive searches). This is 0 for saved searches beacause you don't need interactive feedback as the job runs, which does allow it to run faster in the background, the downside it that you don't get any timeline info and the actual events are not stored. If you want to change this for a specific search, you can find your saved search in savedsearches.conf and add an entry like this:

[your_saved_search_name]
...
dispatch.buckets = 300
...

Alternately, I often just find it more convenient to re-run the search. All the parameters are already set for you, just just have hit the green search arrow. (Of course if this is a big search, than this can be an expensive operation.)


From the savedsearches.conf doc:

dispatch.buckets = <integer>

  • The maximum number of timeline buckets.
  • Defaults to 0.

Lowell
Super Champion

I added a link to the docs. If you feel like it should be explained better or in more details, feel free to email the people who maintain the docs with your thoughts or ideas. Their email is docs@splunk.com

0 Karma

carmackd
Communicator

Thanks for the response, and good advice. Your suggestion worked great! This should be mentioned in the Splunk documentation but like many other things, it's not.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...