Splunk® Enterprise

Search Reference

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

loadjob

Description

Loads events or results of a previously completed search job. The artifacts to load are identified either by the search job id or a scheduled search name and the time range of the current search. If a savedsearch name is provided and multiple artifacts are found within that range the latest artifacts are loaded.

A search head cluster can run the loadjob command only on saved searches. A search head cluster runs searches on results or artifacts that the search head cluster replicates. You cannot run the loadjob command on ad hoc or real-time searches.

Syntax

| loadjob (<sid> | <savedsearch>) [<result-event>] [<delegate>] [<artifact-offset>] [<ignore-running>]

Required arguments

sid
Syntax: <string>
Description: The search ID of the job whose artifacts need to be loaded, for example: 1233886270.2
savedsearch
Syntax: savedsearch="<user-string>:<app-string>:<search-name-string>"
Description: The unique identifier of a savedsearch whose artifacts need to be loaded. A savedsearch is uniquely identified by the triplet {user, app, savedsearch name}, for example: savedsearch="admin:search:my Saved Search" There is no method to specify a wildcard or match-all behavior, all portions of the triplet must be provided.

Optional arguments

result-event
Syntax: events=<bool>
Description: events=true loads events, while events=false loads results.
Defaults: false
delegate
Syntax: job_delegate=<string>
Description: When specifying a savedsearch, this option selects jobs that were started by the given user. Scheduled jobs will be run by the delegate "scheduler". Dashboard-embedded searches will be run in accordance with the savedsearch's dispatchAs parameter (typically the owner of the search).
Defaults: scheduler
artifact-offset
Syntax: artifact_offset=<int>
Description: Selects a search artifact other than the most recent matching one. For example, if artifact_offset=1, the second most recent artifact will be used. If artifact_offset=2, the third most recent artifact will be used. If artifact_offset=0, selects the most recent. A value that selects past all available artifacts will result in an error.
Default: 0
ignore_running
Syntax: ignore_running=<bool>
Description: Skip over artifacts whose search is still running.
Default: true

Usage

The loadjob command is a generating commandand should be the first command in the search. Generating commands use a leading pipe character.

The loadjob command can be used for a variety of purposes, but one of the most useful is to run a fairly expensive search that calculates statistics. You can use loadjob searches to display those statistics for further aggregation, categorization, field selection and other manipulations for charting and display.

After a search job has completed and the results are cached, you can use this command to access or load the results.

Examples

Example 1: Loads the results of the latest scheduled execution of savedsearch MySavedSearch in the 'search' application owned by admin

| loadjob savedsearch="admin:search:MySavedSearch"

Example 2: Loads the events that were generated by the search job with id=1233886270.2

| loadjob 1233886270.2 events=true

See also

inputcsv

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the loadjob command.

PREVIOUS
kvform
  NEXT
localize

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.13, 6.2.14, 6.2.15


Comments

Oh, I was getting confused and I didn't realized that loadjob was for showing the result of a *scheduled* saved search. Thanks for the clarification.

Hobbes3
November 6, 2013

That is odd, I'm loading jobs right now using spaces in the search name:<br />| loadjob savedsearch="admin:search:Process Status - input count last 60 minutes"<br /><br />In what way does it not work? Make sure the job has run and the results are cached before attempting to load it.

Laserval
October 24, 2013

For <br /><br />| loadjob savedsearch="admin:search:MySavedSearch"<br /><br />How do I load the results of a saved search if the saved search name has spaces (or other special characters)?<br /><br />For example if the saved search is called "My Saved Search", then doing any of this *doesn't* work:<br /><br />| loadjob savedsearch="admin:search:My Saved Search"<br />| loadjob savedsearch="admin:search:My\ Saved\ Search"<br />| loadjob savedsearch="admin:search:My%20Saved%20Search"<br />| loadjob savedsearch="admin:search:'My Saved Search'"<br /><br />I understand you can just do<br /><br />| savedsearch "My Saved Search"<br /><br />but I wanted to know how to do it with loadjob.

Skawasaki splunk, Splunker
September 6, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters