
loadjob
Description
Loads events or results of a previously completed search job. The artifacts to load are identified either by the search job id or a scheduled search name and the time range of the current search. If a savedsearch name is provided and multiple artifacts are found within that range the latest artifacts are loaded.
A search head cluster can run the loadjob
command only on scheduled saved searches. A search head cluster runs searches on results or artifacts that the search head cluster replicates. You cannot run the loadjob
command on ad hoc or real-time searches. For more information on artifact replication, see "Search head clustering architecture" in the Distributed Search manual.
Syntax
| loadjob (<sid> | <savedsearch>) [<result-event>] [<delegate>] [<artifact_offset>] [<ignore_running>]
Required arguments
- sid
- Syntax: <string>
- Description: The search ID of the job whose artifacts need to be loaded, for example:
1233886270.2
- savedsearch
- Syntax: savedsearch="<user-string>:<app-string>:<search-name-string>"
- Description: The unique identifier of a saved search whose artifacts need to be loaded. A saved search is uniquely identified by the triplet {user, app, savedsearch name}, for example:
savedsearch="admin:search:my Saved Search"
There is no method to specify a wildcard or match-all behavior. All portions of the triplet must be provided.
Optional arguments
- result-event
- Syntax: events=<bool>
- Description:
events=true
loads events, whileevents=false
loads results. - Defaults: false
- delegate
- Syntax: job_delegate=<string>
- Description: When specifying a savedsearch, this option selects jobs that were started by the given user. Scheduled jobs will be run by the delegate "scheduler". Dashboard-embedded searches will be run in accordance with the savedsearch's dispatchAs parameter (typically the owner of the search).
- Defaults: scheduler
- artifact_offset
- Syntax: artifact_offset=<int>
- Description: Selects a search artifact other than the most recent matching one. For example, if
artifact_offset=1
, the second most recent artifact will be used. Ifartifact_offset=2
, the third most recent artifact will be used. Ifartifact_offset=0
, selects the most recent. A value that selects past all available artifacts will result in an error. - Default: 0
- ignore_running
- Syntax: ignore_running=<bool>
- Description: Skip over artifacts whose search is still running.
- Default: true
Usage
The loadjob
command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
The loadjob
command can be used for a variety of purposes, but one of the most useful is to run a fairly expensive search that calculates statistics. You can use loadjob
searches to display those statistics for further aggregation, categorization, field selection and other manipulations for charting and display.
After a search job has completed and the results are cached, you can use this command to access or load the results.
Examples
Example 1: Loads the results of the latest scheduled execution of savedsearch MySavedSearch in the 'search' application owned by admin
| loadjob savedsearch="admin:search:MySavedSearch"
Example 2: Loads the events that were generated by the search job with id=1233886270.2
| loadjob 1233886270.2 events=true
See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the loadjob command.
PREVIOUS kvform |
NEXT localize |
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4
Comments
Thanks for the suggestion Woodcock.
I have added it to the "See also" section.
You should add "savedsearch" to the "See also" section.
Users should be warned that there is a limit to the events pulled in as per this Q&A:
https://answers.splunk.com/answers/458901/is-there-a-limit-when-using-loadjob.html