https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-saved-search-RESULTS-as-a-subsearch/m-p/104125#M26936 <P>My problem with this is that the saved search takes longer than 60 seconds to run, so I only get partial answers if I try to run it as a subsearch. (it times out)</P> <P>What is key about my question are the words 'saved search results'. I have created a saved search and set up another search to use it as a subsearch. The problem I encounter is that when used as a subsearch, the results are ignored and the saved search is run fresh. The saved search takes longer than 60 seconds to run, so I only get partial answers when it runs 'live' in a subsearch.</P> <P>What I need is the ability to retrieve results from a saved search and use those as a subsearch so that I don't time out.</P> <P>This is an abbreviated example of what I'm doing now. This just runs the saved search fresh for the subsearch instead of pulling the saved results.</P> <P>sourcetype=Data_Input_File [savedsearch timeless_base_search] | ... etc ... | table IPAddress MACAddress</P> Mon, 28 Sep 2020 12:42:04 GMT dspracklen 2020-09-28T12:42:04Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-saved-search-RESULTS-as-a-subsearch/m-p/104125#M26936 <P>My problem with this is that the saved search takes longer than 60 seconds to run, so I only get partial answers if I try to run it as a subsearch. (it times out)</P> <P>What is key about my question are the words 'saved search results'. I have created a saved search and set up another search to use it as a subsearch. The problem I encounter is that when used as a subsearch, the results are ignored and the saved search is run fresh. The saved search takes longer than 60 seconds to run, so I only get partial answers when it runs 'live' in a subsearch.</P> <P>What I need is the ability to retrieve results from a saved search and use those as a subsearch so that I don't time out.</P> <P>This is an abbreviated example of what I'm doing now. This just runs the saved search fresh for the subsearch instead of pulling the saved results.</P> <P>sourcetype=Data_Input_File [savedsearch timeless_base_search] | ... etc ... | table IPAddress MACAddress</P> Mon, 28 Sep 2020 12:42:04 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-saved-search-RESULTS-as-a-subsearch/m-p/104125#M26936 dspracklen 2020-09-28T12:42:04Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-saved-search-RESULTS-as-a-subsearch/m-p/104126#M26937 <P>Have you tried it with a pipe as the first character after the leading [ of the subsearch (e.g. <CODE>[ | savedsearch timeless_base_search ]</CODE>). If that still doesn't work for you, consider <A href="http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Loadjob">loadjob</A>. An example might look like <CODE>| loadjob savedsearch="admin:search:timeless_base_search"</CODE></P> <P>Another thing you could consider is to constrain the runtime of the subsearch, even if you want a <EM>different</EM> search scope for the outer search. This can be done using the "earliest" and "latest" keywords in your subsearch.</P> Fri, 26 Oct 2012 17:56:16 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-saved-search-RESULTS-as-a-subsearch/m-p/104126#M26937 sowings 2012-10-26T17:56:16Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-saved-search-RESULTS-as-a-subsearch/m-p/104127#M26938 <P>I will give those first two options a try. It was also suggested to me that I have the internal saved search output to a lookup table and import THAT as the subsearch, effectively. (egads, trying to describe some of this clearly is difficulty)</P> <P>As for the time constraints, that's not something I can change. That's why it's 'timeless' in this instance. I don't need to run it often, but I do need a full answer.</P> <P>Thanks much for the comment. I'll let you know how those suggestions work.</P> Fri, 26 Oct 2012 18:20:13 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-saved-search-RESULTS-as-a-subsearch/m-p/104127#M26938 dspracklen 2012-10-26T18:20:13Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-saved-search-RESULTS-as-a-subsearch/m-p/104128#M26939 <P>Excellent! The 'loadjob' advice worked like a charm. The pipe didn't solve this problem, but now with the other advice it all works as I'd hoped.</P> <P>Thanks much!</P> Fri, 26 Oct 2012 18:59:30 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-use-saved-search-RESULTS-as-a-subsearch/m-p/104128#M26939 dspracklen 2012-10-26T18:59:30Z