https://community.splunk.com/t5/Knowledge-Management/savedsearch-best-practice/m-p/431574#M5767 <P>what is the exact requirement? what are you searching for across 'huge number of workstations"? how long does it takes to the search to complete?<BR /> in any case, i'd recommend to schedule a report and also cap the exact time. example: run a search every night at 1:00 am, add to search: <CODE>earliest=-25h-15m@m latest=-1h-15m@m</CODE> this will ensure you will not miss an event and even if your search takes 75 minutes to run. also, after i ran, you can use <CODE>|savedsearch</CODE> or <CODE>|loadjob</CODE> or just add it as a panel to a dashboard.</P> Mon, 22 Oct 2018 00:36:23 GMT adonio 2018-10-22T00:36:23Z https://community.splunk.com/t5/Knowledge-Management/savedsearch-best-practice/m-p/431573#M5766 <P>hello</P> <P>i need to monitor events on a huge number of workstations <BR /> i want to know the exact way to use saved search in order to execute the query at a planned date<BR /> is it the good way to create a planned report, to copy data in a lookup and to call the data from a Dashboard<BR /> or is it better to create a planned report and to call the report from the Dashboard with | savedserarch???<BR /> Many thanks for your help</P> Sun, 21 Oct 2018 13:26:28 GMT https://community.splunk.com/t5/Knowledge-Management/savedsearch-best-practice/m-p/431573#M5766 jip31 2018-10-21T13:26:28Z https://community.splunk.com/t5/Knowledge-Management/savedsearch-best-practice/m-p/431574#M5767 <P>what is the exact requirement? what are you searching for across 'huge number of workstations"? how long does it takes to the search to complete?<BR /> in any case, i'd recommend to schedule a report and also cap the exact time. example: run a search every night at 1:00 am, add to search: <CODE>earliest=-25h-15m@m latest=-1h-15m@m</CODE> this will ensure you will not miss an event and even if your search takes 75 minutes to run. also, after i ran, you can use <CODE>|savedsearch</CODE> or <CODE>|loadjob</CODE> or just add it as a panel to a dashboard.</P> Mon, 22 Oct 2018 00:36:23 GMT https://community.splunk.com/t5/Knowledge-Management/savedsearch-best-practice/m-p/431574#M5767 adonio 2018-10-22T00:36:23Z https://community.splunk.com/t5/Knowledge-Management/savedsearch-best-practice/m-p/431575#M5768 <P>I would suggest you to use datamodel if possible for optimizations </P> Sat, 27 Oct 2018 15:20:55 GMT https://community.splunk.com/t5/Knowledge-Management/savedsearch-best-practice/m-p/431575#M5768 iamarkaprabha 2018-10-27T15:20:55Z