Splunk Search

Not launching a new real-time search if a job already exists

Splunk Employee
Splunk Employee

I have a scenario with a dashboard running a few simultaneous real-time searches. Unfortunately, this dashboard is becoming popular, and every time a new user loads it, a completely new batch of real-time searches are dispatched.

Would it be possible, by way of Advanced XML or otherwise, to connect subsequent loads of the dashboard to the already running real-time searches? It seems conceivable that it would be possible to retreive any SID assosciated with an identical search, and "re-use" those jobs.

Tags (2)


As far as I know, it is not possible to share the results of a real-time search between users. loadjob, savedsearch and similar cannot fetch the artifacts as they do not exist - results are only written to the artifact directory when the search is done.

There's been some back-and-forth in the answers to questions about this though, see:

Says it's not possible: Can real-time searche be shared between different users viewing the same dashboard?

Says it is possible: Shared realtime searches possible?

In the end, I have not been able to share results from a real-time search between users.

0 Karma


You can call loadjob command , the artifacts to load are identified either by the search job id or a scheduled search name and the time range of the current search. If a savedsearch name is provided and multiple artifacts are found within that range the latest artifacts are loaded.

| loadjob savedsearch="username:application:MyMasterSavedSearch" | search business=businessX

Splunk Employee
Splunk Employee

This will not work with real time searches as there are not artifacts that may be fetched by loadjob for an RT search.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...