Reporting
Highlighted

How do I run loadjob to get the second to last resultset?

Contributor

How do I run loadjob to get the second to last resultset? By default it gives the last resultset.

Tags (1)
Highlighted

Re: How do I run loadjob to get the second to last resultset?

SplunkTrust
SplunkTrust

Hi hylam,

if your saved search is named foo you can us this command:

| loadjob [ 
          search index=_audit savedsearch_name="foo" search_id='scheduler_*' 
          | sort - _time | head 2 | tail 1 
          | rename search_id AS search 
          | eval search=replace(search, "\'","") ]

What happens here? The sub search will search for the search_id of your saved searches, the sort and head and tail will get back the second last result and the rename and eval will return the values in a useable format for loadjob

Hope this helps ...

cheers, MuS

View solution in original post

Highlighted

Re: How do I run loadjob to get the second to last resultset?

Path Finder

easiest way to get the second last result-set should be, below is the default syntax for load job.
| loadjob (sid | savedsearch) [result-event] [delegate] [artifactoffset] [ignorerunning]

Selects a search artifact other than the most recent matching one. For example, if artifactoffset=1, the second most recent artifact will be used. If artifactoffset=2, the third most recent artifact will be used.
FYI= https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Loadjob

0 Karma