Re: Not launching a new real-time search if a job ...

jwestberg · ‎03-18-2013

I have a scenario with a dashboard running a few simultaneous real-time searches. Unfortunately, this dashboard is becoming popular, and every time a new user loads it, a completely new batch of real-time searches are dispatched.

Would it be possible, by way of Advanced XML or otherwise, to connect subsequent loads of the dashboard to the already running real-time searches? It seems conceivable that it would be possible to retreive any SID assosciated with an identical search, and "re-use" those jobs.

laserval · ‎11-21-2013

As far as I know, it is not possible to share the results of a real-time search between users. loadjob, savedsearch and similar cannot fetch the artifacts as they do not exist - results are only written to the artifact directory when the search is done.

There's been some back-and-forth in the answers to questions about this though, see:

Says it's not possible: Can real-time searche be shared between different users viewing the same dashboard?

Says it is possible: Shared realtime searches possible?

In the end, I have not been able to share results from a real-time search between users.

royimad · ‎03-18-2013

You can call loadjob command , the artifacts to load are identified either by the search job id or a scheduled search name and the time range of the current search. If a savedsearch name is provided and multiple artifacts are found within that range the latest artifacts are loaded.

| loadjob savedsearch="username:application:MyMasterSavedSearch" | search business=businessX

bwooden · ‎11-20-2013

This will not work with real time searches as there are not artifacts that may be fetched by loadjob for an RT search.

Not launching a new real-time search if a job already exists

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms