I have searched splunk with one query and also applied some datetime range. Now, I want to see the same search results again. How can I achieve that?
I have used the | history
command, but it is giving only the search query, not the date time range. Also, I am not able to view search results directly from this history search.
When looking at the history of a job you via "| history" the time for search_et ="search earliest time" and search_lt="search latest time are the fields that would tell you what the range of time was used for the job. This time is in Unix epoch and would need to be eval to show readable format.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/History
The "| history" command does show the job SID which is the job id. If you were to take that job id and input it into a "| loadjob" command it would give you the results for the search that was ran as long as it still exists. Jobs have a 10 minute time to live unless you extend the job via Activity < Jobs < Actions < Extend Job Expiration = 7 Days. This will allow you to run the | loadjob "sid" for that job for the next 7 days and return the search results without having to rerun the search.
Hope this helps
When looking at the history of a job you via "| history" the time for search_et ="search earliest time" and search_lt="search latest time are the fields that would tell you what the range of time was used for the job. This time is in Unix epoch and would need to be eval to show readable format.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/History
The "| history" command does show the job SID which is the job id. If you were to take that job id and input it into a "| loadjob" command it would give you the results for the search that was ran as long as it still exists. Jobs have a 10 minute time to live unless you extend the job via Activity < Jobs < Actions < Extend Job Expiration = 7 Days. This will allow you to run the | loadjob "sid" for that job for the next 7 days and return the search results without having to rerun the search.
Hope this helps
Thanks for the answer. I thought one click does the job, but its not 😞
If the search was saved, then you can use the | loadjob
verb.
If it was not saved, then you are going to have to research what the actual earliest
and latest
were and code them into a query. @niketnilay gave you the name of the fields.
Do you need more explicit instructions?
search_et
and search_lt
fields have the Earliest Time and Latest Time respective.
What is the your use case? Can you please describe?