https://community.splunk.com/t5/Splunk-Search/Search-on-existing-search-results/m-p/549167#M155793 <P>Use <FONT face="courier new,courier">loadjob</FONT>.&nbsp; Once the first search completes, use the Job Inspector to get the SID.&nbsp; Then replace the original search with a <FONT face="courier new,courier">loadjob</FONT> command and add the new commands.</P><LI-CODE lang="markup">| loadjob 1619199687.119898 | search host=bar</LI-CODE><P>Note: the ability to do this without the <FONT face="courier new,courier">loadjob</FONT> kludge is an old ask.&nbsp; Go to&nbsp;<A href="https://ideas.splunk.com" target="_blank">https://ideas.splunk.com</A>&nbsp;to add your voice.</P><P>&nbsp;</P> Fri, 23 Apr 2021 17:45:26 GMT richgalloway 2021-04-23T17:45:26Z https://community.splunk.com/t5/Splunk-Search/Search-on-existing-search-results/m-p/549162#M155791 <P>Preemptive note, I am not looking for instructions on how to run a subsearch.</P><P>&nbsp;</P><P>I have results from a completed search that goes back 90 days which took an extremely long time to run. Lets say the search was:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=foo</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Now that I have those results, I need to filter them down, lets say I'd like to filter them down to:</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=foo host=bar</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I'd like to search within those results without Splunk having to query the entire indexer again to reduce the amount of time the second search takes. Basically, is there any way to have Splunk query the existing, cached results already on the search head rather than having to query the indexer twice?</P> Fri, 23 Apr 2021 17:25:08 GMT https://community.splunk.com/t5/Splunk-Search/Search-on-existing-search-results/m-p/549162#M155791 Haybuck15 2021-04-23T17:25:08Z https://community.splunk.com/t5/Splunk-Search/Search-on-existing-search-results/m-p/549167#M155793 <P>Use <FONT face="courier new,courier">loadjob</FONT>.&nbsp; Once the first search completes, use the Job Inspector to get the SID.&nbsp; Then replace the original search with a <FONT face="courier new,courier">loadjob</FONT> command and add the new commands.</P><LI-CODE lang="markup">| loadjob 1619199687.119898 | search host=bar</LI-CODE><P>Note: the ability to do this without the <FONT face="courier new,courier">loadjob</FONT> kludge is an old ask.&nbsp; Go to&nbsp;<A href="https://ideas.splunk.com" target="_blank">https://ideas.splunk.com</A>&nbsp;to add your voice.</P><P>&nbsp;</P> Fri, 23 Apr 2021 17:45:26 GMT https://community.splunk.com/t5/Splunk-Search/Search-on-existing-search-results/m-p/549167#M155793 richgalloway 2021-04-23T17:45:26Z