Use ds.savedSearch to use reports and saved searches

Use the ds.savedSearch to bring in reports, or saved searches, from within the Splunk Dashboards app or from other apps. You can use the saved search data source to schedule these searches to run on a particular frequency and store the results, which lightens processing loads and concurrent search limits. For example, if fifty users access a particular dashboard, panels backed by scheduled saved searches will not cause the searches to run fifty times, while panels backed by searches of the the type ds.search might.

If you have dashboards in the Search & Reporting app that use reports, they will transfer as JSON stanzas of type ds.savedSearch when you open that dashboard the Splunk Dashboards app.

If you are using lookups in your search, make sure the lookup permissions are set to "global".

Imported and native reports

You must reference a saved search or report by its name by using the ref property. To specify which app the saved search or report belongs to, use the app property. If no app is specified, It's assumed the report came from the Search & Reporting app.

Access saved searches that live in the Search & Reporting app

The following procedure shows you how to access a saved search that lives in the Search & Reporting app.

1. Export your dashboard from the Search & Reporting app, or create a new one in the Splunk Dashboards app.


2. In the Search & Reporting app, find the saved search you want to use.
   You can find it in Settings > Searches, reports, and alerts. In this section, saved searches are called reports. Make a note of the exact names of the reports. The exact name must be set in the ref option of the data source stanza. You may want to use a text editor to keep track of the names.


3. Add a ds.savedSearch stanza to the dashboard definition in the Splunk Dashboards app.
   You may want to change the unique ID to easily find it in the dashboard definition. Note the data source type is ds.savedSearch For example:

   "reportNoScheduleNoRefresh": {
   	"type": "ds.savedSearch",
   	"options": {
   		"ref": "Top 100 sourcetypes in the last 24 hours"
   			}
   		},
   

The default assumption is that the saved search you're referencing lives in the Search & Reporting app. If you created your saved search within the Splunk Dashboards app, or in any app other than Search & Reporting, you must use the app option and set it to the app where the saved search was saved. For example, if you created a saved search in the Splunk Dashboard app, the stanza would look like the following:

"reportNoScheduleNoRefresh": {
	"type": "ds.savedSearch",
	"options": {
		"ref": "Top 100 sourcetypes in the last 24 hours"
                "app": "splunk-dashboard-app"
			}
		},

You can look to the URL while viewing the report to determine what app it is saved in. You can also see information about your searches in the visual editor in the Configuration panel in the Data Configurations section.

When you click on the report, you will see the following:

• The saved search name in the Data Source Name field.
• The query used in the Saved Search with SPL window.
• The time range set in the stanza.
• The creator of the saved search.
• The location of the original saved search.
• The permission status.
• The last time the saved search was edited.

You can't change any of the information using this panel, however, you can click Open in Reports to open the original search in the app where the saved search exists.

ds.savedSearch options

Unlike ds.search, the ds.savedSearch data source type does not respect the name or query options. The only options that you can use are ref and app, as well as refresh and refreshType for searches that are not scheduled searches. For example, the following saved search refreshes at 5 second intervals:

"reportNoScheduleWithRefresh": {
		"type": "ds.savedSearch",
		"options": {
			"ref": "Current Time",
		        "refresh": "5s",
			"refreshType": "interval"
		},

Scheduled saved searches

If a you are referencing a saved search that is scheduled, that schedule will be respected regardless of whether you set the refresh or refreshType options. For example, if a report from the Search & Reporting app has been scheduled to run at the top of every minute, setting the refresh interval to 5 seconds in the JSON stanza will have no effect, and the scheduled search will continue to run at the top of every minute. The same is true for any settings that apply to the data source type in the defaults section of the dashboard definition.

If the report is a scheduled search, but its first scheduled run has not yet completed, the search will run automatically the first time it's added to the dashboard definition.

Use a saved search as a base search for scheduled chain searches

You can use the ds.savedSearch data source as a base search in the same way that you can use ds.search as a base search. The ds.chain data source accepts all of the options that it would if the base search was of type ds.search. For example:

		"baseReportNoScheduleWithRefresh": {
			"type": "ds.savedSearch",
			"options": {
				"ref": "Current Time",
				"refresh": "5s",
				"refreshType": "interval"
			}
		},
		"postReportNoScheduleWithRefresh": {
			"type": "ds.chain",
			"options": {
				"query": "| eval count=count-1500000000",
				"extend": "baseReportNoScheduleWithRefresh"
			},
			"name": "Data Source Name: Post Report - No Schedule, With Refresh"
		},

For more information on chain searches, see Use a ds.chain search with a base search to chain searches together.

Remember, if you have the cancelJobsOnFocusLoss option, or any other options set in the defaults section of the dashboard definition, it most likely affects the data source of type ds.search. Since ds.savedSearch is of a different type, these searches will not be affected by that setting and will continue to run in the background. It is important that you do not set cancelJobsOnFocusLoss for the ds.savedSearch data type since these searches are usually scheduled and depend on being run uninterrupted.