Solved: splunk query slow.......

DTERM · ‎08-28-2012

Is there a way to take a query, run it in the background, save the results to a file, and then reference that file in another query? I have a few queries that take too long to run. Can I run those in the background (say maybe one or twice a day), and reference the output?

A sample query would be like....

index=whatever | top 15 hosts

A lookup table is close but that doesn't quite accomplish the objetive.

Thanks...

ziegfried · ‎08-28-2012

You could use the loadjob command:

| loadjob 1346168165.751

It will emit the results of the previously executed (and saved) search.

View solution in original post

ziegfried · ‎08-28-2012

You could use the loadjob command:

| loadjob 1346168165.751

It will emit the results of the previously executed (and saved) search.

DTERM · ‎08-29-2012

Great. Thanks!!

sdaniels · ‎08-29-2012

There are a few commands that start with the pipe and nothing before it. You'll see examples here.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchCheatsheet

DTERM · ‎08-29-2012

That sounds perfect. However, I'm confused about the pipe before the command. In the following example, what would I place before the "|" if anything?

| loadjob savedsearch="admin:search:MySavedSearch"

splunk query slow.......

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor