Reporting

using saved search in report without running it again.

arusoft
Communicator

I have created a saves search and it runs every day. I then created a report that uses this saved search. All I am doing in report is calling saved search like  this..

| savedsearch mysavedsearchname
 
The problem is that when I run this report, it looks like its running the query behind the SavedSearch. I was hoping that instead of running the query, it will shows the last run results form saved search.  If this is by design then how can I get the last run results without running again. And I know that I can easily push the saved search result to csv file and then call csv in report. But I don't want to do this. 
Labels (2)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The description of the savedsearch command says, in part, "The savedsearch command always runs a new search. To reanimate the results of a previously run search, use the loadjob command."

---
If this reply helps you, Karma would be appreciated.

View solution in original post

arusoft
Communicator

thanks @richgalloway . That helps. But I am not understanding why the name is called savedsearch. This looks more like a macro for search query. Otherwise what is the point of calling it "savedsearch" if it has to run the underlying query all the time.  What exactly is it saving?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's called "savedsearch" because it's running a search that previously has been saved.

---
If this reply helps you, Karma would be appreciated.
0 Karma

arusoft
Communicator

Sorry I didn't get you. What do you meant by "previously has been saved" ? Are you talking about results from previous run or just "search query text" that is behind that "SavedSearch".  Any link to nice detailed lengthy KT on this topic? Splunk documentation is just very basic.

0 Karma

PickleRick
Ultra Champion

Saved search is a search that has been defined and this definition has been saved. Depending on additional settings it can create a report or trigger an alarm.

You might look at saved search as a specific form of a macro with extra steps.

Macro does not have timerange definition (although might expand to timerange conditions), and does not have to expand to a full search. Macro is expanded inline within the  search by means of simple text substitution.

Saved search is a pre-defined SPL statement with some additional settings (timerange, optionally schedule, report recipient and so on). If you want to use a saved search you have to - as you've already noticed - "call" the saved search and process its output.

If your familiar with programming in C the analogy would be more or less a difference between a #define and a function.

arusoft
Communicator

Thanks @PickleRick That's exactly what I understood might be going on. You explained very well. Its just that I don't like this feature name 🙂 Atleast for me its a bit confusing.

My goal was to run a savedsearch/report on nightly basis. And then use the last run result in dashboards/reports etc. I guess like @richgalloway mentioned LoadJob is the what I should be  doing.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The description of the savedsearch command says, in part, "The savedsearch command always runs a new search. To reanimate the results of a previously run search, use the loadjob command."

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...