I have searched splunk with one query and also applied some datetime range. Now, I want to see the same search results again. How can I achieve that?
I have used the
| history command, but it is giving only the search query, not the date time range. Also, I am not able to view search results directly from this history search.
search_lt fields have the Earliest Time and Latest Time respective.
What is the your use case? Can you please describe?
If the search was saved, then you can use the
| loadjob verb.
If it was not saved, then you are going to have to research what the actual
latest were and code them into a query. @niketnilay gave you the name of the fields.
Do you need more explicit instructions?
When looking at the history of a job you via "| history" the time for searchet ="search earliest time" and searchlt="search latest time are the fields that would tell you what the range of time was used for the job. This time is in Unix epoch and would need to be eval to show readable format.
The "| history" command does show the job SID which is the job id. If you were to take that job id and input it into a "| loadjob" command it would give you the results for the search that was ran as long as it still exists. Jobs have a 10 minute time to live unless you extend the job via Activity < Jobs < Actions < Extend Job Expiration = 7 Days. This will allow you to run the | loadjob "sid" for that job for the next 7 days and return the search results without having to rerun the search.
Hope this helps
Thanks for the answer. I thought one click does the job, but its not 😞