Hi,
We are using SplunkStorm.
I have a form with a dropdown field being populated with search results using
However, it takes too long and the values rarely change. I want to replace that with
I ran the search and saved the results. When I click on the Jobs, I see the saved search showing up with status "Done" and Expires set to "Saved", but there is no id. I need that id to use it in the
Thanks in advance for your help.
So there are two things that sound the same, but are different.
When you 'save results', or 'send to background', the handle you have on that is the ID of the search job, aka the id of the search results.
However when you 'save a search', or create a saved search, you're creating something that has a more stable configuration.
PopulatingSavedSearch is expecting the "name" of a saved search -- the name that you give it when you save it. And you cant give it an id of a search-result.
When and if the saved search has been running on a schedule, and it has a recent search result set associated with it, the dashboard systems will use that recent result instead of running the search ad-hoc. On the other hand if the 'saved search' does not have a schedule on it, the dashboard will have to run the search fresh each time to populate your dropdown.
searching through documentation onlline, I stumbled on the info that the free version of Splunk does not have the scheduling feature! Does that mean that I can not use saved searches in my forms/dashboards to make them load faster? IS there any way to get around this limitation in the free version?
Thanks. now I understand.
We are using SplunkStorm and when I create a saved search it does not present the option to schedule it too, which is what seems to be the thing that I need to do. According to the online document, when I go to search and reports (from manager) and create a search, the prompt shoudl also include scheduling options, but it does not. Neither the "create" or "save" buttons on the search screen have schedulign option!
Am I missing something? Is there anyway to schedule a search on SplunkStorm?
Appreciate your help
have you tried | rest
search?
| rest /services/search/jobs count=0 | search isDone=1 isSavedSearch=1 | table label sid
-set your dropdown to populate with above values
-then another postprocess search
| loadjob $sid$