Splunk Search

Ability to add to search without re-running entire search?

Champion

hI,

I've been asked if there is a way to add/extend a search without re-running it in it's entirety. Apparently, the open-source competitor (that "E" word) provides that functionality. Never seen this in Splunk, be a nice add... is there a way to do it?

0 Karma
1 Solution

Esteemed Legend

Yes, you can use |savedsearch to access the search string or |loadjob to access the search results. You can also dump the search's output to a file with |outputcsv and then pull those results back in at any time with |inputcsv. You can also create eventttypes to refer to partial search strings and then do a search starting with eventtype=myEventType.

View solution in original post

SplunkTrust
SplunkTrust

Go to settings -> searches, reports, and alerts -> find the search -> click on its name -> modify it -> click save.

0 Karma

SplunkTrust
SplunkTrust

alt text

0 Karma

Champion

Of course it will work, but it's not what they are trying to do.... they don't want to go into the saved search and keep changing it.

0 Karma

SplunkTrust
SplunkTrust

Ok but you asked "Ability to add to search without re-running entire search?... I've been asked if there is a way to add/extend a search without re-running it in it's entirety. "

0 Karma

Champion

Yes, from the search bar. Splitting hairs here... (hah!). The above method works better for me.

0 Karma

Ultra Champion

@jkat54 - I think you misunderstood. @a212830 was looking for a way to essentially play with cached results. In other words, consider a long running search that you're creating, then you want to add one tweak to it and you're left with rerunning the entire thing which could take so long that it's impractical. Instead, you can run a base search and then manipulate it's results in various ways without re-pulling the raw data from the indexers. I hope that clarifies why the other answer was accepted. Two different interpretations to the question.

0 Karma

SplunkTrust
SplunkTrust

Thanks, he clarified. Just leaving this here in case someone is looking for the other solution

0 Karma

SplunkTrust
SplunkTrust

alt text

0 Karma

Champion

That's exactly what they are trying to avoid...

Want to run an interactive search and then easily reference the output of that data and possibly modify the search, without running against an entirely new dataset.

0 Karma

Esteemed Legend

Yes, you can use |savedsearch to access the search string or |loadjob to access the search results. You can also dump the search's output to a file with |outputcsv and then pull those results back in at any time with |inputcsv. You can also create eventttypes to refer to partial search strings and then do a search starting with eventtype=myEventType.

View solution in original post

Ultra Champion

+1 to the | loadjob. For long running searches, I use that a ton. Run once, find the sid (job inspector or the url) and then use | loadjob <sid> to manipulate the results without having to rerun. Great for ad-hoc analysis whereas a savedsearch or csv approach requires creating other knowledge objects and remembering to cleanup (not the case with loadjob).
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob

0 Karma

Champion

Was just thinking... what about datasets? Does any functionality in that help in this situation?

0 Karma

Esteemed Legend

I'll be honest there; I have not played with that stuff yet.

0 Karma

Champion

Thanks! Had not thought of the eventtype one... that's a good one.

0 Karma