Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a search command to look up results from saved results?

monicato
Path Finder
‎07-19-2012 10:16 AM

Hi there!

Is there a search command that will allow me to look up results from a "saved result"? I'm looking for ways I could speed up my populating search. My populating search is taking too long to search and I was wondering if there's a way for me to have my search run before and save the results and just have my populating search read from the results. can anyone help? ~thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎07-19-2012 10:28 AM

Sounds as if you want summary indexing, see Use summary indexing for increased reporting efficiency in the Knowledge Manager Manual: "With summary indexing, you set up a search that extracts the precise information you want, on a frequent basis. Each time Splunk runs this search it saves the results into a summary index that you designate. You can then run searches and reports on this significantly smaller (and thus seemingly "faster") summary index."

View solution in original post

Reply
Solved! Jump to solution

hexx
Splunk Employee
Splunk Employee
‎07-19-2012 11:56 AM

Although not quite the easiest command to use to instrument a dashboard (Ayn's answer is probably the most appropriate to that effect), I still want to mention the loadjob command, which does exactly what is stated in the original question : It loads up results from an existing search artifact when provided with the search ID.

Reply
Solved! Jump to solution

monicato
Path Finder
‎07-20-2012 09:50 AM

Thanks! This is what i was originally asking for. 🙂

Reply
Solved! Jump to solution

Ayn
Legend
‎07-19-2012 11:48 AM

You could also run saved searches regularly, and then load results from the last saved search. More information is available for instance here: http://splunk-base.splunk.com/answers/862/can-i-make-my-dashboards-load-faster-by-scheduling-the-sea...

And also the advanced XML module reference has information on how to use this by setting the useHistory parameter for the relevant modules you're using. This reference is available on your Splunk server, in http(s)://splunkserver:port/modules

Reply
Solved! Jump to solution
Solution

ChrisG
Splunk Employee
Splunk Employee
‎07-19-2012 10:28 AM

Sounds as if you want summary indexing, see Use summary indexing for increased reporting efficiency in the Knowledge Manager Manual: "With summary indexing, you set up a search that extracts the precise information you want, on a frequent basis. Each time Splunk runs this search it saves the results into a summary index that you designate. You can then run searches and reports on this significantly smaller (and thus seemingly "faster") summary index."

Reply
Solved! Jump to solution

monicato
Path Finder
‎07-19-2012 11:17 AM

Thanks! This does sound like what I wanted, I'll look into this!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...