hI,
I've been asked if there is a way to add/extend a search without re-running it in it's entirety. Apparently, the open-source competitor (that "E" word) provides that functionality. Never seen this in Splunk, be a nice add... is there a way to do it?
Yes, you can use |savedsearch
to access the search string or |loadjob
to access the search results. You can also dump the search's output to a file with |outputcsv
and then pull those results back in at any time with |inputcsv
. You can also create eventttypes
to refer to partial search strings and then do a search starting with eventtype=myEventType
.
Go to settings -> searches, reports, and alerts -> find the search -> click on its name -> modify it -> click save.
Of course it will work, but it's not what they are trying to do.... they don't want to go into the saved search and keep changing it.
Ok but you asked "Ability to add to search without re-running entire search?... I've been asked if there is a way to add/extend a search without re-running it in it's entirety. "
Yes, from the search bar. Splitting hairs here... (hah!). The above method works better for me.
@jkat54 - I think you misunderstood. @a212830 was looking for a way to essentially play with cached results. In other words, consider a long running search that you're creating, then you want to add one tweak to it and you're left with rerunning the entire thing which could take so long that it's impractical. Instead, you can run a base search and then manipulate it's results in various ways without re-pulling the raw data from the indexers. I hope that clarifies why the other answer was accepted. Two different interpretations to the question.
Thanks, he clarified. Just leaving this here in case someone is looking for the other solution
That's exactly what they are trying to avoid...
Want to run an interactive search and then easily reference the output of that data and possibly modify the search, without running against an entirely new dataset.
Yes, you can use |savedsearch
to access the search string or |loadjob
to access the search results. You can also dump the search's output to a file with |outputcsv
and then pull those results back in at any time with |inputcsv
. You can also create eventttypes
to refer to partial search strings and then do a search starting with eventtype=myEventType
.
+1 to the | loadjob
. For long running searches, I use that a ton. Run once, find the sid (job inspector or the url) and then use | loadjob <sid>
to manipulate the results without having to rerun. Great for ad-hoc analysis whereas a savedsearch or csv approach requires creating other knowledge objects and remembering to cleanup (not the case with loadjob).
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob
Was just thinking... what about datasets? Does any functionality in that help in this situation?
I'll be honest there; I have not played with that stuff yet.
Thanks! Had not thought of the eventtype one... that's a good one.