Splunk Search
Highlighted

After running a search for a certain time range in Splunk, how can I view the same search results again?

New Member

I have searched splunk with one query and also applied some datetime range. Now, I want to see the same search results again. How can I achieve that?
I have used the | history command, but it is giving only the search query, not the date time range. Also, I am not able to view search results directly from this history search.

Tags (2)
0 Karma
Highlighted

Re: After running a search for a certain time range in Splunk, how can I view the same search results again?

Legend

search_et and search_lt fields have the Earliest Time and Latest Time respective.
What is the your use case? Can you please describe?

0 Karma
Highlighted

Re: After running a search for a certain time range in Splunk, how can I view the same search results again?

SplunkTrust
SplunkTrust

If the search was saved, then you can use the | loadjob verb.

If it was not saved, then you are going to have to research what the actual earliest and latest were and code them into a query. @niketnilay gave you the name of the fields.

Do you need more explicit instructions?

0 Karma
Highlighted

Re: After running a search for a certain time range in Splunk, how can I view the same search results again?

Communicator

When looking at the history of a job you via "| history" the time for searchet ="search earliest time" and searchlt="search latest time are the fields that would tell you what the range of time was used for the job. This time is in Unix epoch and would need to be eval to show readable format.

https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/History

The "| history" command does show the job SID which is the job id. If you were to take that job id and input it into a "| loadjob" command it would give you the results for the search that was ran as long as it still exists. Jobs have a 10 minute time to live unless you extend the job via Activity < Jobs < Actions < Extend Job Expiration = 7 Days. This will allow you to run the | loadjob "sid" for that job for the next 7 days and return the search results without having to rerun the search.

Hope this helps

View solution in original post

0 Karma
Highlighted

Re: After running a search for a certain time range in Splunk, how can I view the same search results again?

New Member

Thanks for the answer. I thought one click does the job, but its not 😞

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.