Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk query slow.......

DTERM
Contributor
‎08-28-2012 08:03 AM

Is there a way to take a query, run it in the background, save the results to a file, and then reference that file in another query? I have a few queries that take too long to run. Can I run those in the background (say maybe one or twice a day), and reference the output?

A sample query would be like....

index=whatever | top 15 hosts

A lookup table is close but that doesn't quite accomplish the objetive.

Thanks...

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎08-28-2012 08:38 AM

You could use the loadjob command:

| loadjob 1346168165.751

It will emit the results of the previously executed (and saved) search.

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎08-28-2012 08:38 AM

You could use the loadjob command:

| loadjob 1346168165.751

It will emit the results of the previously executed (and saved) search.

Reply
Solved! Jump to solution

DTERM
Contributor
‎08-29-2012 01:13 PM

Great. Thanks!!

0 Karma
Reply
Solved! Jump to solution

sdaniels
Splunk Employee
Splunk Employee
‎08-29-2012 10:47 AM

There are a few commands that start with the pipe and nothing before it. You'll see examples here.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchCheatsheet

0 Karma
Reply
Solved! Jump to solution

DTERM
Contributor
‎08-29-2012 10:39 AM

That sounds perfect. However, I'm confused about the pipe before the command. In the following example, what would I place before the "|" if anything?

| loadjob savedsearch="admin:search:MySavedSearch"

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...