topic Re: Ability to add to search without re-running entire search? in Splunk Search

Ability to add to search without re-running entire search?

a212830 — Fri, 23 Jun 2017 12:46:34 GMT

hI,

I've been asked if there is a way to add/extend a search without re-running it in it's entirety. Apparently, the open-source competitor (that "E" word) provides that functionality. Never seen this in Splunk, be a nice add... is there a way to do it?

Re: Ability to add to search without re-running entire search?

woodcock — Fri, 23 Jun 2017 13:08:42 GMT

Yes, you can use |savedsearch to access the search string or |loadjob to access the search results. You can also dump the search's output to a file with |outputcsv and then pull those results back in at any time with |inputcsv. You can also create eventttypes to refer to partial search strings and then do a search starting with eventtype=myEventType.

Re: Ability to add to search without re-running entire search?

jkat54 — Fri, 23 Jun 2017 13:25:27 GMT

Go to settings -> searches, reports, and alerts -> find the search -> click on its name -> modify it -> click save.

Re: Ability to add to search without re-running entire search?

a212830 — Fri, 23 Jun 2017 13:43:47 GMT

Thanks! Had not thought of the eventtype one... that's a good one.

Re: Ability to add to search without re-running entire search?

a212830 — Fri, 23 Jun 2017 14:21:57 GMT

That's exactly what they are trying to avoid...

Want to run an interactive search and then easily reference the output of that data and possibly modify the search, without running against an entirely new dataset.

Re: Ability to add to search without re-running entire search?

jkat54 — Fri, 23 Jun 2017 14:54:46 GMT

Re: Ability to add to search without re-running entire search?

jkat54 — Fri, 23 Jun 2017 14:54:46 GMT

Re: Ability to add to search without re-running entire search?

a212830 — Fri, 23 Jun 2017 14:56:22 GMT

Of course it will work, but it's not what they are trying to do.... they don't want to go into the saved search and keep changing it.

Re: Ability to add to search without re-running entire search?

a212830 — Fri, 23 Jun 2017 14:57:17 GMT

Was just thinking... what about datasets? Does any functionality in that help in this situation?

Re: Ability to add to search without re-running entire search?

jkat54 — Fri, 23 Jun 2017 14:58:39 GMT

Ok but you asked "Ability to add to search without re-running entire search?... I've been asked if there is a way to add/extend a search without re-running it in it's entirety. "

Re: Ability to add to search without re-running entire search?

a212830 — Fri, 23 Jun 2017 15:01:57 GMT

Yes, from the search bar. Splitting hairs here... (hah!). The above method works better for me.

Re: Ability to add to search without re-running entire search?

woodcock — Fri, 23 Jun 2017 15:37:40 GMT

I'll be honest there; I have not played with that stuff yet.

Re: Ability to add to search without re-running entire search?

sloshburch — Mon, 26 Jun 2017 12:22:21 GMT

+1 to the | loadjob. For long running searches, I use that a ton. Run once, find the sid (job inspector or the url) and then use | loadjob <sid> to manipulate the results without having to rerun. Great for ad-hoc analysis whereas a savedsearch or csv approach requires creating other knowledge objects and remembering to cleanup (not the case with loadjob).
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob

Re: Ability to add to search without re-running entire search?

sloshburch — Mon, 26 Jun 2017 12:25:09 GMT

@jkat54 - I think you misunderstood. @a212830 was looking for a way to essentially play with cached results. In other words, consider a long running search that you're creating, then you want to add one tweak to it and you're left with rerunning the entire thing which could take so long that it's impractical. Instead, you can run a base search and then manipulate it's results in various ways without re-pulling the raw data from the indexers. I hope that clarifies why the other answer was accepted. Two different interpretations to the question.

Re: Ability to add to search without re-running entire search?

jkat54 — Mon, 26 Jun 2017 13:32:56 GMT

Thanks, he clarified. Just leaving this here in case someone is looking for the other solution