Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

savedsearch best practice

jip31
Motivator
‎10-21-2018 06:26 AM

hello

i need to monitor events on a huge number of workstations
i want to know the exact way to use saved search in order to execute the query at a planned date
is it the good way to create a planned report, to copy data in a lookup and to call the data from a Dashboard
or is it better to create a planned report and to call the report from the Dashboard with | savedserarch???
Many thanks for your help

Tags (1)
Reply

iamarkaprabha
Contributor
‎10-27-2018 08:20 AM

I would suggest you to use datamodel if possible for optimizations

Reply

adonio
Ultra Champion
‎10-21-2018 05:36 PM

what is the exact requirement? what are you searching for across 'huge number of workstations"? how long does it takes to the search to complete?
in any case, i'd recommend to schedule a report and also cap the exact time. example: run a search every night at 1:00 am, add to search: earliest=-25h-15m@m latest=-1h-15m@m this will ensure you will not miss an event and even if your search takes 75 minutes to run. also, after i ran, you can use |savedsearch or |loadjob or just add it as a panel to a dashboard.

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...