Splunk Search

Not launching a new real-time search if a job already exists

jwestberg
Splunk Employee
Splunk Employee

I have a scenario with a dashboard running a few simultaneous real-time searches. Unfortunately, this dashboard is becoming popular, and every time a new user loads it, a completely new batch of real-time searches are dispatched.

Would it be possible, by way of Advanced XML or otherwise, to connect subsequent loads of the dashboard to the already running real-time searches? It seems conceivable that it would be possible to retreive any SID assosciated with an identical search, and "re-use" those jobs.

Tags (2)

laserval
Communicator

As far as I know, it is not possible to share the results of a real-time search between users. loadjob, savedsearch and similar cannot fetch the artifacts as they do not exist - results are only written to the artifact directory when the search is done.

There's been some back-and-forth in the answers to questions about this though, see:

Says it's not possible: Can real-time searche be shared between different users viewing the same dashboard?

Says it is possible: Shared realtime searches possible?

In the end, I have not been able to share results from a real-time search between users.

0 Karma

royimad
Builder

You can call loadjob command , the artifacts to load are identified either by the search job id or a scheduled search name and the time range of the current search. If a savedsearch name is provided and multiple artifacts are found within that range the latest artifacts are loaded.

| loadjob savedsearch="username:application:MyMasterSavedSearch" | search business=businessX

bwooden
Splunk Employee
Splunk Employee

This will not work with real time searches as there are not artifacts that may be fetched by loadjob for an RT search.

0 Karma