Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Preserve search queries by the querystring

Tom
Engager
‎09-10-2010 01:30 PM

If I close my web browser with search results up, then on restart of the web browser I end up at the "flashtimeline" page again, but with no Search query up. Is there a way to run searches with the search itself in the querystring so that I don't lose the search on restart?

My browser just crashed while I was in the middle of testing a rather large query, causing me to lose all of my work 😞

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎09-10-2010 07:41 PM

The best thing to do when you have a search you want to keep around for a while, is to click

Actions > Get link to results.

That will both

a) save the results permanently on disk and

b) give you a nice URL to get those results back in the future.

As such it basically does the same thing as clicking 'Send to background', except that since you have the URL you wont have to dig around for it later in the Job Manager.

And you can even click 'get link to results' while the search is running.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎09-14-2010 05:51 PM

Well if you cant save any results on disk then you have a deeper problem because Splunk deletes all unsaved jobs after only 15 minutes.
Each one doesnt take up a lot of space although I'll admit that once you start saving them they can pile up rather quickly.

0 Karma
Reply

Tom
Engager
‎09-13-2010 01:12 PM

That doesn't help, because the variety of searches I'm looking for are too large for my allowed space usage, so I can't save anything. I would like to be able to use my browsers standard facilities instead of forcing any server-side activity.

0 Karma
Reply

Lowell
Super Champion
‎09-10-2010 03:00 PM

Yeah, that's annoying. You can always "save" your searches while they are running. You can do this either from the jobs manager page, or by clicking the "send to background" link. Either way, you can get your job back by going back into the job manager page, even if your browser crashed. You will have to remember to delete the job later if you don't want to keep it around.

But after the fact, the best advice I can give is to go search your internal index for your previous search:

index=_internal source=*searches.log YourUserName | rex "(?s)\S+ \S+ - (?<user>\S+)\t(?<search>.*)$" | dedup search

This should give you a quick list of your previous searches. You can copy and paste your search from there. Don't forget to remove the leading search command from the begining of your search.

(BTW, I do this often enough I added the above regex to my props.conf file.)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...