Splunk Search

After running a search for a certain time range in Splunk, how can I view the same search results again?

saikumar1729
New Member

I have searched splunk with one query and also applied some datetime range. Now, I want to see the same search results again. How can I achieve that?
I have used the | history command, but it is giving only the search query, not the date time range. Also, I am not able to view search results directly from this history search.

Tags (2)
0 Karma
1 Solution

Grumpalot
Communicator

When looking at the history of a job you via "| history" the time for search_et ="search earliest time" and search_lt="search latest time are the fields that would tell you what the range of time was used for the job. This time is in Unix epoch and would need to be eval to show readable format.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/History

The "| history" command does show the job SID which is the job id. If you were to take that job id and input it into a "| loadjob" command it would give you the results for the search that was ran as long as it still exists. Jobs have a 10 minute time to live unless you extend the job via Activity < Jobs < Actions < Extend Job Expiration = 7 Days. This will allow you to run the | loadjob "sid" for that job for the next 7 days and return the search results without having to rerun the search.

Hope this helps

View solution in original post

0 Karma

Grumpalot
Communicator

When looking at the history of a job you via "| history" the time for search_et ="search earliest time" and search_lt="search latest time are the fields that would tell you what the range of time was used for the job. This time is in Unix epoch and would need to be eval to show readable format.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/History

The "| history" command does show the job SID which is the job id. If you were to take that job id and input it into a "| loadjob" command it would give you the results for the search that was ran as long as it still exists. Jobs have a 10 minute time to live unless you extend the job via Activity < Jobs < Actions < Extend Job Expiration = 7 Days. This will allow you to run the | loadjob "sid" for that job for the next 7 days and return the search results without having to rerun the search.

Hope this helps

View solution in original post

0 Karma

saikumar1729
New Member

Thanks for the answer. I thought one click does the job, but its not 😞

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If the search was saved, then you can use the | loadjob verb.

If it was not saved, then you are going to have to research what the actual earliest and latest were and code them into a query. @niketnilay gave you the name of the fields.

Do you need more explicit instructions?

0 Karma

niketnilay
Legend

search_et and search_lt fields have the Earliest Time and Latest Time respective.
What is the your use case? Can you please describe?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!