Other Usage

using saved search in report without running it again.

arusoft
Communicator

I have created a saves search and it runs every day. I then created a report that uses this saved search. All I am doing in report is calling saved search like  this..

| savedsearch mysavedsearchname
 
The problem is that when I run this report, it looks like its running the query behind the SavedSearch. I was hoping that instead of running the query, it will shows the last run results form saved search.  If this is by design then how can I get the last run results without running again. And I know that I can easily push the saved search result to csv file and then call csv in report. But I don't want to do this. 
Labels (2)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The description of the savedsearch command says, in part, "The savedsearch command always runs a new search. To reanimate the results of a previously run search, use the loadjob command."

---
If this reply helps you, Karma would be appreciated.

View solution in original post

arusoft
Communicator

thanks @richgalloway . That helps. But I am not understanding why the name is called savedsearch. This looks more like a macro for search query. Otherwise what is the point of calling it "savedsearch" if it has to run the underlying query all the time.  What exactly is it saving?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's called "savedsearch" because it's running a search that previously has been saved.

---
If this reply helps you, Karma would be appreciated.
0 Karma

arusoft
Communicator

Sorry I didn't get you. What do you meant by "previously has been saved" ? Are you talking about results from previous run or just "search query text" that is behind that "SavedSearch".  Any link to nice detailed lengthy KT on this topic? Splunk documentation is just very basic.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Saved search is a search that has been defined and this definition has been saved. Depending on additional settings it can create a report or trigger an alarm.

You might look at saved search as a specific form of a macro with extra steps.

Macro does not have timerange definition (although might expand to timerange conditions), and does not have to expand to a full search. Macro is expanded inline within the  search by means of simple text substitution.

Saved search is a pre-defined SPL statement with some additional settings (timerange, optionally schedule, report recipient and so on). If you want to use a saved search you have to - as you've already noticed - "call" the saved search and process its output.

If your familiar with programming in C the analogy would be more or less a difference between a #define and a function.

arusoft
Communicator

Thanks @PickleRick That's exactly what I understood might be going on. You explained very well. Its just that I don't like this feature name 🙂 Atleast for me its a bit confusing.

My goal was to run a savedsearch/report on nightly basis. And then use the last run result in dashboards/reports etc. I guess like @richgalloway mentioned LoadJob is the what I should be  doing.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The description of the savedsearch command says, in part, "The savedsearch command always runs a new search. To reanimate the results of a previously run search, use the loadjob command."

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...