Splunk Search

How do I search within results of a search that has already run?

MonkeyK
Builder

Sometimes I write a brutal search that takes a very long time to run and then realize that I need to do something more to visualize it. Is there a way to just refer to the results of my already run search as input to the extra commands?

example
My manager tells me that I need to know all firewall traffic to a group of servers over the last year.

index=firewall dest_ip=192.168.100.0/24

I run this but it takes 30 hours to run. When I get the output, we see that a lot of the traffic is not interesting
now I would like to search on my original results to filter out the uninteresting traffic, something like:

 [get results from sid=1510343822.12851_69BC77DB-3AFA-433E-A86E-CFDBF93FB47D] 
| search NOT user in ["MonkeyA", "MonkeyB", "MonkeyC"] 
| stats count(bytes_in) by dest_ip

Is there a way to do this?

Tags (1)
0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

You can use loadjob to retrieve your search results, if they haven't been reaped yet.

View solution in original post

s2_splunk
Splunk Employee
Splunk Employee

You can use loadjob to retrieve your search results, if they haven't been reaped yet.

MonkeyK
Builder

Perfect! Thank you, this will save a lot of indexer and search head resources!

A couple of notes on this that I learned:

  1. One can only loadjob for jobs that ran on the current searchhead. So logon to the running searchhead first.
  2. To stop worrying about the search being reaped, one can output to a lookup table:

    |loadjob 1510343822.12851_69BC77DB-3AFA-433E-A86E-CFDBF93FB47D | outputlookup myResults.csv

after that, just search the lookup

|inputlookup myResults.csv  
| search NOT user in ["MonkeyA", "MonkeyB", "MonkeyC"] 
| stats count(bytes_in) by dest_ip
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...