I have created a saves search and it runs every day. I then created a report that uses this saved search. All I am doing in report is calling saved search like this..
| savedsearch mysavedsearchname
The description of the savedsearch command says, in part, "The savedsearch command always runs a new search. To reanimate the results of a previously run search, use the loadjob command."
thanks @richgalloway . That helps. But I am not understanding why the name is called savedsearch. This looks more like a macro for search query. Otherwise what is the point of calling it "savedsearch" if it has to run the underlying query all the time. What exactly is it saving?
It's called "savedsearch" because it's running a search that previously has been saved.
Sorry I didn't get you. What do you meant by "previously has been saved" ? Are you talking about results from previous run or just "search query text" that is behind that "SavedSearch". Any link to nice detailed lengthy KT on this topic? Splunk documentation is just very basic.
Saved search is a search that has been defined and this definition has been saved. Depending on additional settings it can create a report or trigger an alarm.
You might look at saved search as a specific form of a macro with extra steps.
Macro does not have timerange definition (although might expand to timerange conditions), and does not have to expand to a full search. Macro is expanded inline within the search by means of simple text substitution.
Saved search is a pre-defined SPL statement with some additional settings (timerange, optionally schedule, report recipient and so on). If you want to use a saved search you have to - as you've already noticed - "call" the saved search and process its output.
If your familiar with programming in C the analogy would be more or less a difference between a #define and a function.
Thanks @PickleRick That's exactly what I understood might be going on. You explained very well. Its just that I don't like this feature name 🙂 Atleast for me its a bit confusing.
My goal was to run a savedsearch/report on nightly basis. And then use the last run result in dashboards/reports etc. I guess like @richgalloway mentioned LoadJob is the what I should be doing.
The description of the savedsearch command says, in part, "The savedsearch command always runs a new search. To reanimate the results of a previously run search, use the loadjob command."