Dashboards & Visualizations

Saved Searches' unexpected behavior

twinspop
Influencer

With some experimenting, I've found that saved searches that are visible to all apps, and readable by everyone, do not have results that are accessible to other apps. That means that although you can add them to a dashboard or view in another app, the search will be run in real time when you load the view. Are saved scheduled search reports only available in their respective apps regardless of the search permission settings?

I came across this issue and tried using the move feature in the Saved Search manager (when logged in as admin). Server error.[1]

So I cloned the search and assigned the clone to the app I wanted. That method sort of worked. The search was copied, but not the report -- my chart was all wanky with default settings. I could see no way in the GUI to edit the saved search's chart settings, so I copied the viewstate stanza from the old search into the viewstate.conf file local to the target app, put that viewstate into savedsearches.conf, and restarted Splunk. Shouldn't 'clone' clone everything? Is there a better way to get properly configured charts copied in the cloning process?

[1] error message:

500 Internal Server Error
RESTException: [HTTP 409] [{'text': "In handler 'savedsearch': Object with 
id=REPORT_Web_Errors_by_Host already exists in config=savedsearches, user=nobody, 
app=my_app", 'code': None, 'type': 'ERROR'}]; None
Tags (2)
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

It sounds like what you did made the search available globally. In order to get the results of a saved search into a new app after you've made it available, you'd need to run it in in the desired app as it won't have access to the job run in the other app.

With regard to the cloning issue, the report is another object outside of the saved search, so that won't be cloned. The only object to be cloned will be the actual saved search in the scenario you mention above. If you look under Manager » Searches and reports, you'll see searches have a display view of 'None', and reports have a display view of 'report_builder_display'. You would need to make both available globally. Making the report available does not affect the report settings or the results of the saved search which is used to build the report. The answer to would be have a report and a saved search both made available to other apps.

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

It sounds like what you did made the search available globally. In order to get the results of a saved search into a new app after you've made it available, you'd need to run it in in the desired app as it won't have access to the job run in the other app.

With regard to the cloning issue, the report is another object outside of the saved search, so that won't be cloned. The only object to be cloned will be the actual saved search in the scenario you mention above. If you look under Manager » Searches and reports, you'll see searches have a display view of 'None', and reports have a display view of 'report_builder_display'. You would need to make both available globally. Making the report available does not affect the report settings or the results of the saved search which is used to build the report. The answer to would be have a report and a saved search both made available to other apps.

jbsplunk
Splunk Employee
Splunk Employee

Yes, the behavior is by design.

0 Karma

twinspop
Influencer

If I read this right, the short answer is: By design.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...