Reporting

use of schedule search in dashboard

ips_mandar
Builder

I have dashboard which has user input to select host (from dropdown) and timerange-
since its big search I was thinking to create scheduled saved search which will run periodically and this saved search will be referred in dashboard .
1. since in dashboard I have dropdown to select host so while writing scheduled saved search I need to mention host=* in query to run for all host?
2. and if I am running saved search on last 3 days periodically but in my dashboard if I select timerange as last 7 days then does it will rerun the search over last 7 days or how it will work?
Please clarify above points.
Note-I have multiple host and from each host high amount of data is coming.

0 Karma
1 Solution

arjunpkishore5
Motivator

You cannot have variable time ranges or parameters on a scheduled saved search.

I think you slightly need to change your strategy here. Considering that you have large amount of data and that your time range needs to be variable,
1. Use your scheduled search to summarize to a summary index.
2. In your dashboard, query on the summary index.
3. (Optional) Depending on your use case, you could also then consider using a "base search" on your summary index in the dashboard to speed up things further.

If you still want to continue using scheduled searches on your dashboard, you can partially do it. However, you cannot work around the time ranges in an easy way. So without variable time range,
1. schedule your saved search for all hosts
2. in your dashboard, use loadjob to load your savedsearch and then filter the host

| loadjob sid
| search host IN ($selected_hosts$)

Hope this helps.

Cheers.

View solution in original post

0 Karma

arjunpkishore5
Motivator

You cannot have variable time ranges or parameters on a scheduled saved search.

I think you slightly need to change your strategy here. Considering that you have large amount of data and that your time range needs to be variable,
1. Use your scheduled search to summarize to a summary index.
2. In your dashboard, query on the summary index.
3. (Optional) Depending on your use case, you could also then consider using a "base search" on your summary index in the dashboard to speed up things further.

If you still want to continue using scheduled searches on your dashboard, you can partially do it. However, you cannot work around the time ranges in an easy way. So without variable time range,
1. schedule your saved search for all hosts
2. in your dashboard, use loadjob to load your savedsearch and then filter the host

| loadjob sid
| search host IN ($selected_hosts$)

Hope this helps.

Cheers.

0 Karma

ips_mandar
Builder

This makes sense to me..Thank a lot @arjunpkishore5

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...