Solved: call save results from view

chandansingh · ‎03-18-2011

Hi every one , i would like to call saved results of splunk in view xml.so i can show saved results to user instead of latest search. please help on same.

David · ‎03-18-2011

I would take a look at the answer to this question:

http://answers.splunk.com/questions/8079/cached-search-results

Specifically, the loadjob search command, or the useHistory option. Alternatively, you can always use summary indexing:

http://www.splunk.com/wiki/Deploy:Summary_Indexing

View solution in original post

sideview · ‎03-19-2011

If you just want to send a specific set of results to someone, just go to:

Actions > Get link to results

That saves the search results (saves the "job" technically) and it gives you a URL that you can copy and paste elsewhere, to view those exact results later. Once a job is saved it wont be deleted by splunkd.

If on the other hand you want a dashboard to always show some relatively recent results rather than always running the search each time the user loads the dashboard, then you want to

a) save the search as a 'saved search'

b) set the dashboard to run from that saved search instead of an inline search string

(You may well have done these steps already)

c) in that saved search, turn on the scheduling options, and set it to run every hour or every day etc.

Once you do that, (and once the schedule has generated at least one job), that dashboard panel will always show the most recently run results for the search instead of running the search on demand.