- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: Historical result of a scheduled report
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is anyway to find all historical results of a scheduled report in splunk? I've seen about REST and the | history command but that command shows only when that report has been scheduled but I want the results of that scheduled report. I've seen also the summary indexing case but summary indexing only collects data from that report but doesn't offer any historical links where to click and see the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you would need to set the expiration for the search to a set period of time (2 weeks if you only want to see two weeks of historical results of said search), and then you should be able to use |loadjob with the correct time frame of when the search ran to grab the historical results. you might be able to use it in conjunction with |history to grab the sid instead of the search name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you would need to set the expiration for the search to a set period of time (2 weeks if you only want to see two weeks of historical results of said search), and then you should be able to use |loadjob with the correct time frame of when the search ran to grab the historical results. you might be able to use it in conjunction with |history to grab the sid instead of the search name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you mean that each time I make a search I need to choose the correct time frame, but this is not what i want. I want that to find all historical results for example all results grouped for each day and when I click on that day to see all events for that day. Like the triggered alerts. You can see history for triggered alerts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Say you only kept 1 month of history (that's how long the expiration was). The time frame would only ever need to be one month, though you could just put all time, if you wanted. You could use the |history command or a |rest Command to get a list of sid and then the |map command with the |loadjob command to loop through all of the sid that were pulled in and bring the data back for all of them.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
