topic multiple base search in Splunk Search

multiple base search

secure — Wed, 05 Feb 2025 15:58:05 GMT

Hi i have a complex base search where iam comparing data from two indexes using left join and getting the results in a table query is working fine but its very slow

so i have now decided to split it into two base searches and then combine them in the panel

index=serverdata | rex "host_name=\"(?<server_host_name>[^\"]*)" | lookup servers_businessgroup_appcode.csv appcode output Business_Group as New_Business_Group |chart dc(host_name) over appcode by host_environment | eval TOTAL_servers=DEV+PAT+PROD | table appcode DEV PAT PROD TOTAL_servers

2nd Base search

i want to use this in third panel combine both the searches using a left join and get the list of servers details in both the index

question how can i use two base searches in a single search

Re: multiple base search

gcusello — Wed, 05 Feb 2025 16:03:47 GMT

Hi @secure ,

in a dashboard it's possible to define more base searches, but in each panel, it's possible to use only one base search, not more.

Ciao.

Giuseppe

Re: multiple base search

burwell — Wed, 05 Feb 2025 19:58:56 GMT

Hi @secure as @gcusello stated you can have only one base search.

What would it mean to have 2 in a panel? The base search just returns the results so how could you use 2 together?

I am not sure if this helps but you can have a base search use another base search.

Re: multiple base search

bowesmana — Thu, 06 Feb 2025 00:34:08 GMT

Technically you could use both base searches, but it's a bit fiddly and isn't really going to save you anything as the searches have to run anyway. You would get the job ids of each base search and then in your panel search you would use loadjob to load each of the jobs. However, you're still going to have to load the second job in some kind of subsearch (join?) so not sure where you're trying to go with this.

If you are simply trying to speed up a join search, you can't achieve this with two base searches, as you are simply not changing anything and it will take the time it takes.

The solution for a poor performing search using join is to remove the use of join and rewrite the search in another way.

Looking at your existing searches I'm not sure why you are trying to combine these in the first place, because you have appcode in your first search and you simply want appcode to get the list of details from the lookup.

You are doing a lookup in the primary search but doing nothing with the retrieved data. Why don't you just do the lookup in your primary search after the chart, i.e.

index=serverdata | rex "host_name=\"(?<server_host_name>[^\"]*)" |chart dc(host_name) over appcode by host_environment | eval TOTAL_servers=DEV+PAT+PROD | table appcode DEV PAT PROD TOTAL_servers | lookup servers_businessgroup_appcode.csv appcode output Business_Group as New_Business_Group