Knowledge Management

savedsearch best practice

jip31
Motivator

hello

i need to monitor events on a huge number of workstations
i want to know the exact way to use saved search in order to execute the query at a planned date
is it the good way to create a planned report, to copy data in a lookup and to call the data from a Dashboard
or is it better to create a planned report and to call the report from the Dashboard with | savedserarch???
Many thanks for your help

Tags (1)

iamarkaprabha
Contributor

I would suggest you to use datamodel if possible for optimizations

adonio
Ultra Champion

what is the exact requirement? what are you searching for across 'huge number of workstations"? how long does it takes to the search to complete?
in any case, i'd recommend to schedule a report and also cap the exact time. example: run a search every night at 1:00 am, add to search: earliest=-25h-15m@m latest=-1h-15m@m this will ensure you will not miss an event and even if your search takes 75 minutes to run. also, after i ran, you can use |savedsearch or |loadjob or just add it as a panel to a dashboard.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...