savedsearch best practice

jip31 · ‎10-21-2018

hello

i need to monitor events on a huge number of workstations
i want to know the exact way to use saved search in order to execute the query at a planned date
is it the good way to create a planned report, to copy data in a lookup and to call the data from a Dashboard
or is it better to create a planned report and to call the report from the Dashboard with | savedserarch???
Many thanks for your help

iamarkaprabha · ‎10-27-2018

I would suggest you to use datamodel if possible for optimizations

adonio · ‎10-21-2018

what is the exact requirement? what are you searching for across 'huge number of workstations"? how long does it takes to the search to complete?
in any case, i'd recommend to schedule a report and also cap the exact time. example: run a search every night at 1:00 am, add to search: earliest=-25h-15m@m latest=-1h-15m@m this will ensure you will not miss an event and even if your search takes 75 minutes to run. also, after i ran, you can use |savedsearch or |loadjob or just add it as a panel to a dashboard.

savedsearch best practice

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation

savedsearch best practice

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!