Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

call save results from view

chandansingh
Explorer
‎03-18-2011 01:08 PM

Hi every one , i would like to call saved results of splunk in view xml.so i can show saved results to user instead of latest search. please help on same.

Tags (1)
Reply
2 Solutions
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎03-18-2011 05:03 PM

I would take a look at the answer to this question:

http://answers.splunk.com/questions/8079/cached-search-results

Specifically, the loadjob search command, or the useHistory option. Alternatively, you can always use summary indexing:

http://www.splunk.com/wiki/Deploy:Summary_Indexing

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-19-2011 07:24 AM

If you just want to send a specific set of results to someone, just go to:

Actions > Get link to results

That saves the search results (saves the "job" technically) and it gives you a URL that you can copy and paste elsewhere, to view those exact results later. Once a job is saved it wont be deleted by splunkd.

If on the other hand you want a dashboard to always show some relatively recent results rather than always running the search each time the user loads the dashboard, then you want to

a) save the search as a 'saved search'

b) set the dashboard to run from that saved search instead of an inline search string

(You may well have done these steps already)

c) in that saved search, turn on the scheduling options, and set it to run every hour or every day etc.

Once you do that, (and once the schedule has generated at least one job), that dashboard panel will always show the most recently run results for the search instead of running the search on demand.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-19-2011 07:24 AM

If you just want to send a specific set of results to someone, just go to:

Actions > Get link to results

That saves the search results (saves the "job" technically) and it gives you a URL that you can copy and paste elsewhere, to view those exact results later. Once a job is saved it wont be deleted by splunkd.

If on the other hand you want a dashboard to always show some relatively recent results rather than always running the search each time the user loads the dashboard, then you want to

a) save the search as a 'saved search'

b) set the dashboard to run from that saved search instead of an inline search string

(You may well have done these steps already)

c) in that saved search, turn on the scheduling options, and set it to run every hour or every day etc.

Once you do that, (and once the schedule has generated at least one job), that dashboard panel will always show the most recently run results for the search instead of running the search on demand.

Reply
Solved! Jump to solution
Solution

David
Splunk Employee
Splunk Employee
‎03-18-2011 05:03 PM

I would take a look at the answer to this question:

http://answers.splunk.com/questions/8079/cached-search-results

Specifically, the loadjob search command, or the useHistory option. Alternatively, you can always use summary indexing:

http://www.splunk.com/wiki/Deploy:Summary_Indexing

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...