Extend Search without re-running

thepocketwade · ‎10-12-2010

I just ran a search over the last 24 hours which returned a large number of results, but not the full picture I was looking for. So I extended the time frame to the last 7 days. Doing that reran the whole search, including the results I'd already amassed over the last 24 hours.

I could feasibly open a new window and run the search over 6 days, and have the two sets of results to work with; but is there a way to concatenate these results together?

gkanapathy · ‎10-12-2010

Well, I suppose you could use a combination of the append and loadjob commands.

newsearch | append [ loadjob oldsearchid ]

landen99 · ‎03-07-2014

Found the sid as the last element in the url while the search was loaded/started.

thepocketwade · ‎10-12-2010

From the actions menu you can select "Inspect Search." The search inspector window will pop up, and you can find a lot of information (including the search id) there.

christopherutz · ‎10-12-2010

This seems very useful. In what methods can the old search id be obtained? I know it can be retrieved from the jobs view but are there any other ways? Does the jobid end up as a field of the results?

Extend Search without re-running

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Extend Search without re-running

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem