Hi,
I have a savedsearch set up within Splunk that uses the "$args$". I have one arg as "filter" and another as "deepFilter".
So saved search query looks something like this (name is my_saved_search):
index="my-index" field1=$args.filter$ | replace someField with $args.deepFilter$
When I manually replace the arg values with the values I want I get the results back however, it takes almost 20-30 seconds to fetch the results (large data set). Even with a saved search, the dispatch takes up to 10-20 seconds.
I want to cut the time to load data down so I came across the "loadjob".
It went from 20 seconds down to 1 second to fetch the jobs using loadjob.
Loadjob query is: "|loadjob savedsearch="admin:search:my_saved_search | replace args.filter with *"
While this was good, I noticed that it didn't account for my args/filters. The above loaded results.
I tried with a differeent filter:
Loadjob query is: "|loadjob savedsearch="admin:search:my_saved_search | replace args.filter with ABC"
It pulled up the same results as the first loadjob
I want to have history for all of the various args that could be used in the saved search query. Is this possible with the loadjob?
Thanks!
↧