Splunk Search

How to load all artifact_offsets in loadjob?

axelmunoz
New Member

Hey all! I have a saved search that runs on a schedule and generates those "artifacts", I know I can access a specific artifact offset like this

| loadjob savedsearch="my.user:search:test_search" artifact_offset=<int>
What I want is to load ALL available artifact offsets. This can be a variable amount and therefore I can't do an append.
Is there any way to do this?

0 Karma

niketn
Legend

@axelmunoz as per documentation attempt to fetch all artifacts will lead to error. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob#Optional_arguments

A value that selects past all available artifacts will result in an error.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

axelmunoz
New Member

@niketnilay So the wording on the documentation is a little different. We don't want to select past all available artifacts, we want to select exactly all available artifacts

0 Karma

Derson
Explorer

I know it has been a while since you asked this @axelmunoz but this might be able to help others since I couldn't find any results either and had to make something. If I made any bad assumptions please correct me.
Alternate definition for an artifact: "An artifact is a saved search job that has not reached its ttl yet per search,user,app"

This returns all of the artifacts SIDs then makes an event for each and uses the map command to loop through them loading in the results. 

| rest /services/search/jobs
| rename eai:acl.app as app
| table author label app defaultTTL ttl diskUsage dispatchState isDone id isFailed isSavedSearch delegate published sid ```extra fields for human```
| where isDone=1 AND like(label,"PutSavedSearchNameHere") ```update this with the name of the search you want. probably smart to add app and user too```
| stats values(sid) as sid by label app author ```this version will be limited by values() max. Use count and mvrange instead if you need over values() max```
| mvexpand sid
| map maxsearches=50000 search="| loadjob $sid$"

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...