Need workaround- Loadjob does not work on ad hoc searches in search cluster
We currently use a single search head with an index cluster. I have written a large number of relatively complex dashboards that utilize loadjob. I recently learned, on the documentation page for the...
View ArticleCan you help me with a question about a search using the loadjob command and...
i have a saved query that can show data up to 90 days. But, when i run the search using the loadjob command, i would like to provide an option to view only 30/60/90 days data based on a users choice. I...
View ArticleImproving search performance of search powered by summary index, datamodel...
I have a panel which loads data for `last 3 months` and it takes approx 120 secs to load the single panel value - showing the count of advanced users in percentage. Currently, we have implemented the...
View ArticleIs it possible to loadjob a post-processed search?
Hi guys, Loadjob $post_process_search$ only loads $base_search$ data and not anything from the post-process search? Why? I understand it probably has something to do with how the $job.sid$ token is...
View ArticleSplunk loadjob not returning data but savedsearch does
Hello all, I am seeing a weird issue. **I am logged in as admin** and my search is saved as scheduled search. This is not giving any result: | loadjob savedsearch="admin:search:my_test_report" This is...
View ArticleFeature request: Job Manager/loadjob - Display SID and Filter on...
It would be helpful to make the SID more readily accessible. It is currently available only in the "Inspect Job" pop up windows. I regularly run somewhat long initial searches that I further winnow...
View ArticleWaiting for queued jobs for every dashboard opened
Hey all, I created 15 long run reports with big searches, I also scheduled it every month and saved those reports in 3 dashboards with each dashboard 5 reports in a panel, using below search. Now am...
View ArticleHow to load all artifact_offsets in loadjob?
Hey all! I have a saved search that runs on a schedule and generates those "artifacts", I know I can access a specific artifact offset like this `| loadjob savedsearch="my.user:search:test_search"...
View ArticleIs savedsearchjobload faster then querying index?
Is accessing results from a savedsearch via loadjob and timefilter faster or slower than from an index and what are limits?
View Articlehelp on issue between a loadjob savedsearch and a
hi I called a scheduled from my dashboard | loadjob savedsearch="admin:XX:Hardware - Battery cycle pie" | search Site=$tok_filtersite|s$ I have an issue with `| search Site=$tok_filtersite|s$` because...
View Articlehelp for catching a field in order to use it in an loadjob command
Hi In the saved search below, I retrieve the field "SITE" because I use a dropdown list in my dashboard in order to filter events by SITE | stats avg(sent_data) as sent_data avg(received_data) as...
View Articlehelp to display a timechart after a loadjob command
hello I call a timechart from a loadjob command like below and it works | loadjob savedsearch="admin:toto_sh:win timechart2" But I need to filter the events of my timechart by host because I use a text...
View ArticleError in 'SearchOperator:loadjob': Cannot find job_id 'scheduler_username_search
I'm getting this error msg when I check on View results in Splunk. Not sure why this error msg is showing up and didn't find the solution anywhere online. On Splunk, when I put a particular time range...
View ArticleCan you change permissions on an executed savedsearch?
I have a dashboard that loadjobs a scheduled savedsearch. I needed to grant dashboard access to a new role, so I added permissions for that role both to the dashboard and to the savedsearch. But I got...
View ArticleLoading base query by token
I'm trying to create a dashboard that does not execute the same queries multiple times. From what I have been able to find out online the way to do that is to set a token on your query so it can be...
View ArticleNon-admin user needs savedsearch job date in dashboard
I have non Admin users with dashboards. The base search uses a loadjob of a job that is scheduled each day to look at a day's worth of events. Other searches in the dashboard use the loadjob command....
View ArticleWhy does "Search is waiting for input" has a delay if using loadjob and JS?
Main search: `makeresults | append [| loadjob "$exchange$"] | eval trigger="$submit_trigger1$"` where the ad-hoc loadjob sets `$exchange$` via $job.sid$ However, the "search is waiting for input"...
View ArticleHow to add the trigger time to loadjob?
Hello, I am trying to pull out the last 24 hours worth of results for an alert using ```loadjob```, with the following search: index=_audit splunk_server="splunk-csh" action=alert_fired...
View ArticleIs loadjob compatible with a javascript submit button when used as a base...
I use JS submit buttons because the SimpleXML submit button is useless (searchWhenChanged is broken, you can only have one button, cannot inline, cannot have multiple, and cannot have multiple...
View ArticleHow to pass base search results to subsearch
Hi Folks, We receive several hundred files per day from 20 different sources. The filenames contain the source that we received the file from, and have a three digit sequence number as a suffix....
View Article