Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

savedsearch best practice

jip31
Motivator
‎10-21-2018 06:26 AM

hello

i need to monitor events on a huge number of workstations
i want to know the exact way to use saved search in order to execute the query at a planned date
is it the good way to create a planned report, to copy data in a lookup and to call the data from a Dashboard
or is it better to create a planned report and to call the report from the Dashboard with | savedserarch???
Many thanks for your help

Tags (1)
Reply

iamarkaprabha
Contributor
‎10-27-2018 08:20 AM

I would suggest you to use datamodel if possible for optimizations

Reply

adonio
Ultra Champion
‎10-21-2018 05:36 PM

what is the exact requirement? what are you searching for across 'huge number of workstations"? how long does it takes to the search to complete?
in any case, i'd recommend to schedule a report and also cap the exact time. example: run a search every night at 1:00 am, add to search: earliest=-25h-15m@m latest=-1h-15m@m this will ensure you will not miss an event and even if your search takes 75 minutes to run. also, after i ran, you can use |savedsearch or |loadjob or just add it as a panel to a dashboard.

Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...