Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extend Search without re-running

thepocketwade
Path Finder
‎10-12-2010 02:17 PM

I just ran a search over the last 24 hours which returned a large number of results, but not the full picture I was looking for. So I extended the time frame to the last 7 days. Doing that reran the whole search, including the results I'd already amassed over the last 24 hours.

I could feasibly open a new window and run the search over 6 days, and have the two sets of results to work with; but is there a way to concatenate these results together?

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎10-12-2010 02:46 PM

Well, I suppose you could use a combination of the append and loadjob commands.

newsearch | append [ loadjob oldsearchid ]
Reply

landen99
Motivator
‎03-07-2014 07:34 AM

Found the sid as the last element in the url while the search was loaded/started.

0 Karma
Reply

thepocketwade
Path Finder
‎10-12-2010 03:56 PM

From the actions menu you can select "Inspect Search." The search inspector window will pop up, and you can find a lot of information (including the search id) there.

0 Karma
Reply

christopherutz
Path Finder
‎10-12-2010 03:34 PM

This seems very useful. In what methods can the old search id be obtained? I know it can be retrieved from the jobs view but are there any other ways? Does the jobid end up as a field of the results?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...