https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472955#M133125 <P>You can use summary indexing. Analyze large data and write output to summary index. Use summary index in the report so that it runs faster on less amount of data when compared to raw data.</P> <P>For more info check this:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing</A></P> Sun, 16 Feb 2020 18:02:16 GMT manjunathmeti 2020-02-16T18:02:16Z https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472953#M133123 <P>Hi<BR /> How can I Run SPL command once and store result to access result faster next time.<BR /> for e.g. I need to analyses large logs every night and in next day access to "save search" and "dashboards" quickly without waiting to query on data when open "save search" and "dashboards".<BR /> I mean every night Splunk after analyze logs run queries on that exist on "save search" and "dashboards" and store output, so next day when I open "save search" and "dashboards" Splunk load result quickly and display them.</P> <P>Any recommendation?<BR /> Thanks</P> Sun, 16 Feb 2020 05:52:23 GMT https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472953#M133123 indeed_2000 2020-02-16T05:52:23Z https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472954#M133124 <P><A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/Report/Createandeditreports">Createandeditreports</A></P> <P>check this.</P> Sun, 16 Feb 2020 13:36:23 GMT https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472954#M133124 to4kawa 2020-02-16T13:36:23Z https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472955#M133125 <P>You can use summary indexing. Analyze large data and write output to summary index. Use summary index in the report so that it runs faster on less amount of data when compared to raw data.</P> <P>For more info check this:<BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usesummaryindexing</A></P> Sun, 16 Feb 2020 18:02:16 GMT https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472955#M133125 manjunathmeti 2020-02-16T18:02:16Z https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472956#M133126 <P>Hi<BR /> I try commands (sichart, sitimechart, sistats, sitop, and sirare) But not work.</P> <P>Below is my SPL and I visual it with “single value“ pivot:<BR /> source=index | search error* OR fail*</P> <P>For e.g. i try this<BR /> source=index | sistats search error* OR fail*<BR /> source=index | collect search error* OR fail*</P> <P>Any idea?</P> Sun, 16 Feb 2020 18:43:10 GMT https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472956#M133126 indeed_2000 2020-02-16T18:43:10Z https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472957#M133127 <P>first search:</P> <PRE><CODE>source=index error* OR fail* | collect index=error_index </CODE></PRE> <P>second search:</P> <PRE><CODE>index=error_index as_you_like </CODE></PRE> <P>If you create summary index, The next time you search there, it will be faster.</P> <P>I think a report is enough for your usage.</P> Sun, 16 Feb 2020 20:03:05 GMT https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472957#M133127 to4kawa 2020-02-16T20:03:05Z https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472958#M133128 <P>Save your job as a report, run it based on your schedule and use the loadjob command.</P> <P>| loadjob savedsearch="admin:search:Savedsearch"</P> <P>when running loadjob on scheduled report, only latest result will be shown.</P> <P>You can additionally use these as a base query to run other queries on if you are using multiple transformative commands on the same dataset.</P> Sun, 16 Feb 2020 20:48:01 GMT https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472958#M133128 martinpu 2020-02-16T20:48:01Z https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472959#M133129 <P>Still not work,<BR /> |search error* OR fail* | loadjob savedsearch="admin:search:Savedsearch"</P> <P>What is the last part of command “admin:search:Savedsearch“?</P> Mon, 17 Feb 2020 01:56:41 GMT https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472959#M133129 indeed_2000 2020-02-17T01:56:41Z https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472960#M133130 <PRE><CODE>| loadjob savedsearch="YourUserID:App:SavedSearchname" </CODE></PRE> <P>Loadjob must be the first line.</P> <P>Why are you using: <BR /> |search error* OR fail* ?</P> <P>You can also try </P> <PRE><CODE>index=yourindex | rex "(?&lt;errorOrFail&gt;error|fail)" |eval errorOrFail=if(isnull(errorOrFail), "False","True") | search errorOrFail="True" </CODE></PRE> <P>Or try with</P> <PRE><CODE>index=yourindex error* OR fail* </CODE></PRE> <P>see if you can use sourcetype/index or extract some statistical data. I think you need to optimize your query, use index and zero-in on the data that you need.</P> Mon, 17 Feb 2020 17:21:27 GMT https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472960#M133130 martinpu 2020-02-17T17:21:27Z https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472961#M133131 <OL> <LI>Run SPL command : ....your spl ... | outputlookup nnn.csv</LI> <LI>dashboard: | inputlookup nnn.csv</LI> </OL> Tue, 18 Feb 2020 09:13:30 GMT https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472961#M133131 hc_joycechen 2020-02-18T09:13:30Z https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472962#M133132 <P>1-First command create file? Where it will be atore?<BR /> 2-load file on dashboard? </P> Tue, 18 Feb 2020 15:41:25 GMT https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472962#M133132 indeed_2000 2020-02-18T15:41:25Z https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472963#M133133 <P>1-First command create file? Where it will be atore?<BR /> | makeresults <BR /> | eval aa="1", bb="2", cc="3"<BR /> | outputlookup nnn.csv</P> <P>file : /opt/splunk/etc/apps/your_app/lookups</P> <P>2-load file on dashboard?</P> <P>Sample</P> <PRE><CODE>&lt;panel&gt; &lt;table&gt; &lt;search&gt; &lt;query&gt;| inputlookup nnn.csv&lt;/query&gt; &lt;/search&gt; &lt;option name="count"&gt;30&lt;/option&gt; &lt;option name="drilldown"&gt;none&lt;/option&gt; &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt; &lt;/table&gt; &lt;/panel&gt; </CODE></PRE> Wed, 19 Feb 2020 07:02:18 GMT https://community.splunk.com/t5/Splunk-Search/Run-SPL-command-once-and-store-result-to-access-faster/m-p/472963#M133133 hc_joycechen 2020-02-19T07:02:18Z