Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not launching a new real-time search if a job already exists

jwestberg
Splunk Employee
Splunk Employee
‎03-18-2013 06:20 AM

I have a scenario with a dashboard running a few simultaneous real-time searches. Unfortunately, this dashboard is becoming popular, and every time a new user loads it, a completely new batch of real-time searches are dispatched.

Would it be possible, by way of Advanced XML or otherwise, to connect subsequent loads of the dashboard to the already running real-time searches? It seems conceivable that it would be possible to retreive any SID assosciated with an identical search, and "re-use" those jobs.

Tags (2)
Reply

laserval
Communicator
‎11-21-2013 03:51 AM

As far as I know, it is not possible to share the results of a real-time search between users. loadjob, savedsearch and similar cannot fetch the artifacts as they do not exist - results are only written to the artifact directory when the search is done.

There's been some back-and-forth in the answers to questions about this though, see:

Says it's not possible: Can real-time searche be shared between different users viewing the same dashboard?

Says it is possible: Shared realtime searches possible?

In the end, I have not been able to share results from a real-time search between users.

0 Karma
Reply

royimad
Builder
‎03-18-2013 07:43 AM

You can call loadjob command , the artifacts to load are identified either by the search job id or a scheduled search name and the time range of the current search. If a savedsearch name is provided and multiple artifacts are found within that range the latest artifacts are loaded.

| loadjob savedsearch="username:application:MyMasterSavedSearch" | search business=businessX

Reply

bwooden
Splunk Employee
Splunk Employee
‎11-20-2013 01:17 PM

This will not work with real time searches as there are not artifacts that may be fetched by loadjob for an RT search.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...