Can I run a query on my results from a previous qu...

koocies · ‎04-01-2020

or do I have to run a whole new query?

memarshall63 · ‎04-01-2020

Not much to go on here... Maybe you can provide some more details around what you've tried and what your current data set or query attempts are...

Broadly you can look at these:

https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Search
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Where
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchTutorial/Useasubsearch

koocies · ‎04-03-2020

If I run a query I get results, then I look over my results. Sometimes I want to filter out certain things from my results. I'd rather filter out my results and to research the index. I don't need to go back to well, I've got what I need, but I just need to filter out a little.

memarshall63 · ‎04-03-2020

You're looking for a way to persist some search results -- and then further filter them?

There's a few mechanisms for that with Splunk.
I think one is the closest to what you're looking for:
https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Loadjob
See also:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch
https://docs.splunk.com/Documentation/Splunk/8.0.2/Knowledge/Usesummaryindexing

There's likely a few others that also would help.
Good luck.

Can I run a query on my results from a previous query?

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!