loadjob

Description

Loads events or results of a previously completed search job. The artifacts to load are identified either by the search job id or a scheduled search name and the time range of the current search. If a savedsearch name is provided and multiple artifacts are found within that range the latest artifacts are loaded.

A search head cluster can run the loadjob command only on scheduled saved searches. A search head cluster runs searches on results or artifacts that the search head cluster replicates. You cannot run the loadjob command on ad hoc or real-time searches. For more information on artifact replication, see "Search head clustering architecture" in the Distributed Search manual.

Syntax

| loadjob (<sid> | <savedsearch>) [<result-event>] [<delegate>] [<artifact_offset>] [<ignore_running>]

Required arguments

sid

Syntax: <string>

Description: The search ID of the job whose artifacts need to be loaded, for example: 1233886270.2

savedsearch

Syntax: savedsearch="<user-string>:<app-string>:<search-name-string>"

Description: The unique identifier of a saved search whose artifacts need to be loaded. A saved search is uniquely identified by the triplet {user, app, savedsearch name}, for example: savedsearch="admin:search:my Saved Search" There is no method to specify a wildcard or match-all behavior. All portions of the triplet must be provided.

Optional arguments

result-event

Syntax: events=<bool>

Description: events=true loads events, while events=false loads results.

Defaults: false

delegate

Syntax: job_delegate=<string>

Description: When specifying a savedsearch, this option selects jobs that were started by the given user. Scheduled jobs will be run by the delegate "scheduler". Dashboard-embedded searches will be run in accordance with the savedsearch's dispatchAs parameter (typically the owner of the search).

Defaults: scheduler

artifact_offset

Syntax: artifact_offset=<int>

Description: Selects a search artifact other than the most recent matching one. For example, if artifact_offset=1, the second most recent artifact will be used. If artifact_offset=2, the third most recent artifact will be used. If artifact_offset=0, selects the most recent. A value that selects past all available artifacts will result in an error.

Default: 0

ignore_running

Syntax: ignore_running=<bool>

Description: Skip over artifacts whose search is still running.

Default: true

Usage

The loadjob command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.

The loadjob command can be used for a variety of purposes, but one of the most useful is to run a fairly expensive search that calculates statistics. You can use loadjob searches to display those statistics for further aggregation, categorization, field selection and other manipulations for charting and display.

After a search job has completed and the results are cached, you can use this command to access or load the results.

Examples

Example 1: Loads the results of the latest scheduled execution of savedsearch MySavedSearch in the 'search' application owned by admin

| loadjob savedsearch="admin:search:MySavedSearch"

Example 2: Loads the events that were generated by the search job with id=1233886270.2

| loadjob 1233886270.2 events=true

See also

inputcsv, savedsearch

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the loadjob command.