Hi,
I have a saved search set up in Splunk.
Using the REST API, when I dispatch that saved search and then get the results back, it takes ~40-60 seconds for this particular saved search (I have a few others that complete in 2-3 seconds to dispatch and fetch results).
The saved search query looks something like this (obfuscating variable names, index names, etc):
index=myIndex source=*someSource* | rename var1 AS VAR1 var2 AS VAR2 | fields - _raw | join type=inner VAR3 [search earliest=1 latest=now index=otherIndex |fields - _raw | fields + field1, field2| rename var4 AS VAR4] |fields + field3,field4| join type=left someID [|search index=thirdIndex | fields - _raw | fields + field5, field6 | dedup SOMEVAR ] | search someVAr=* | top VAR10 limit=10
So when I run this saved search in the UI itself and look at the activity log for jobs, I'll see my saved search execute BUT I also see several subsearches executing. My saved search doesn't start until the subsearches are 100% and done.
Why is this happening? Is there a way to set up my saved search to execute this full query in one go instead of doing multiple subsearches?
I looked at "loadjob" and this worked partially. For some of my searches, I use the $args$ to run based on some criterira. With the loadjob, I wasn't able to properly do a replace of the args with the value I wanted so this wouldn't work.
thanks!
↧