Splunk Search

Where do saved search results go?

blurblebot
Communicator

Now that I've used the "Save results" button on my search results and can access them through the jobs screen, where is that saved result data being kept? Are they in the same index as they were when I found them? Have those results been copied to a new index? Are those results in some extra-index phantom zone?

My main reason for asking is that I want to know if they are subject to the same retention/rollover schedule as the indexes in which those results lived before I searched them out and captured them with "save results."

Any takers?

Thank you!

-Steve

Tags (2)
1 Solution

jbsplunk
Splunk Employee
Splunk Employee

Saved search results are coming from the index they've initially been pulled from, however, the results are pulled from on disk in the $SPLUNK_HOME/var/run/splunk/dispatch/search/ folder.

As an example, here are some of mine, again, in $SPLUNK_HOME/splunk/var/run/splunk/dispatch:

drwx------   2 stuff things  4096 May 26 10:15 scheduler__nobody__search_SW5kZXhpbmcgd29ya2xvYWQ_at_1306430100_7edee2e2cfcda8eb
drwx------   2 stuff things  4096 May 26 10:30 scheduler__nobody__search_SW5kZXhpbmcgd29ya2xvYWQ_at_1306431000_ff79649bab08acd2
drwx------   2 stuff things  4096 May 26 10:35 scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1306431300_42a445258b88c357
drwx------   2 stuff things  4096 May 26 10:40 scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1306431600_e21d10240c010dc6

The results would be held on disk until the TTL for that particular search expires, irrespective of if the retention policy has rolled the events from cold to frozen.

Once they are frozen, your search will never return those results again unless you are using a coldToFrozenDir or script and you've thawed the data.

They are subject to the same retention policy, but since they are held on disk until the job expires, you won't see the effect until that occurs.

View solution in original post

jbsplunk
Splunk Employee
Splunk Employee

Saved search results are coming from the index they've initially been pulled from, however, the results are pulled from on disk in the $SPLUNK_HOME/var/run/splunk/dispatch/search/ folder.

As an example, here are some of mine, again, in $SPLUNK_HOME/splunk/var/run/splunk/dispatch:

drwx------   2 stuff things  4096 May 26 10:15 scheduler__nobody__search_SW5kZXhpbmcgd29ya2xvYWQ_at_1306430100_7edee2e2cfcda8eb
drwx------   2 stuff things  4096 May 26 10:30 scheduler__nobody__search_SW5kZXhpbmcgd29ya2xvYWQ_at_1306431000_ff79649bab08acd2
drwx------   2 stuff things  4096 May 26 10:35 scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1306431300_42a445258b88c357
drwx------   2 stuff things  4096 May 26 10:40 scheduler__nobody__search_VG9wIGZpdmUgc291cmNldHlwZXM_at_1306431600_e21d10240c010dc6

The results would be held on disk until the TTL for that particular search expires, irrespective of if the retention policy has rolled the events from cold to frozen.

Once they are frozen, your search will never return those results again unless you are using a coldToFrozenDir or script and you've thawed the data.

They are subject to the same retention policy, but since they are held on disk until the job expires, you won't see the effect until that occurs.

gkanapathy
Splunk Employee
Splunk Employee

Yes, you can adjust the ttl by setting dispatch.ttl. That is exactly what it is for. You can also set it when you dispatch the saved search using the -timeout parameter on the CLI, or the timeout parameter in the REST API.

0 Karma

blurblebot
Communicator

Thank you for the great answer. Would I be able to adjust the TTL of that saved search, say, through savedsearches.conf? Dispatch.ttl seems almost like what I'm looking for, but the conf description introduces some ambiguities.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...