topic Re: Putting two search queries within and in Splunk Search

Putting two search queries within and

aseid — Mon, 27 Jul 2015 20:56:32 GMT

Out of concern for performance, I need to put more than one search queries within same <query> and </query> block. One search query feeds the next using lookup writes and reads. Can I do that?

Re: Putting two search queries within and

bmacias84 — Mon, 27 Jul 2015 22:12:03 GMT

Why not use post process searches.

Re: Putting two search queries within and

somesoni2 — Mon, 27 Jul 2015 22:22:07 GMT

If output of one search is input for 2nd one, you can just merge them into one big search.

Re: Putting two search queries within and

aseid — Tue, 28 Jul 2015 12:44:22 GMT

I designed one 'big' search query but at the cost of performance (and elegance). Reason being two chunks of the search must be re-used twice implying that the search must be re-launched.

Re: Putting two search queries within and

somesoni2 — Tue, 28 Jul 2015 15:02:34 GMT

The thing you want to achieve requires sequencing of search queries as the lookup from 1st query should be populated before 2nd query should start. If the timerange/data for 1st query doesn't change very much drastically, you can schedule it to run frequently and update the lookup file. The 2nd query will just get the data from the latest scheduled run of the 1st query. Thoughts?

Re: Putting two search queries within and

mmensch — Wed, 12 Aug 2015 17:59:59 GMT

Have you tried using an append command or using a subsearch?

Append Splunk Doc: http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Append

SubSearch Splunk Doc: http://docs.splunk.com/Documentation/Splunk/6.2.4/Search/Aboutsubsearches#A_subsearch_example

You can also control the subsearch with settings in limits.conf for the runtime and maximum number of results returned.