https://community.splunk.com/t5/Splunk-Search/How-to-get-previous-search-results-as-a-sub-search/m-p/203537#M59123 <P>Hi all, hope you can help me with this question.</P> <P>What I'm trying to do is, given the information Splunk keeps about triggered alerts in index=_internal, create a dashboard with the alerts triggered in a period of time and, using the sid, get the actual results from that alert.</P> <P>I'm using the following search to get the information about triggered alerts:</P> <P>index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count <STRONG>sid</STRONG></P> <P>and I want to use the <STRONG>sid</STRONG> value returned to run a sub-search and get the actual values.</P> <P>Something like this, if possible, would be great:</P> <P>index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count <STRONG>sid</STRONG> | append [ loadjob <STRONG>sid</STRONG> ]</P> <P>Thanks for your help.</P> Tue, 29 Sep 2020 08:14:21 GMT cespinoz 2020-09-29T08:14:21Z https://community.splunk.com/t5/Splunk-Search/How-to-get-previous-search-results-as-a-sub-search/m-p/203537#M59123 <P>Hi all, hope you can help me with this question.</P> <P>What I'm trying to do is, given the information Splunk keeps about triggered alerts in index=_internal, create a dashboard with the alerts triggered in a period of time and, using the sid, get the actual results from that alert.</P> <P>I'm using the following search to get the information about triggered alerts:</P> <P>index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count <STRONG>sid</STRONG></P> <P>and I want to use the <STRONG>sid</STRONG> value returned to run a sub-search and get the actual values.</P> <P>Something like this, if possible, would be great:</P> <P>index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count <STRONG>sid</STRONG> | append [ loadjob <STRONG>sid</STRONG> ]</P> <P>Thanks for your help.</P> Tue, 29 Sep 2020 08:14:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-previous-search-results-as-a-sub-search/m-p/203537#M59123 cespinoz 2020-09-29T08:14:21Z https://community.splunk.com/t5/Splunk-Search/How-to-get-previous-search-results-as-a-sub-search/m-p/203538#M59124 <P>The map command might work in this case:</P> <P>index="_internal" sourcetype="scheduler" savedsearch_name="Alert*" status=success | table _time app savedsearch_name severity status result_count sid | map [ | loadjob $sid$ ]</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Map" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Map</A></P> <P>You might also find this useful eventually:<BR /> map also supports a search id field, provided as $_serial_id$ which will have a number increemented for each run search. In other words, the first run search will have the value 1, and the second 2, and so on.</P> Tue, 29 Sep 2020 08:14:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-previous-search-results-as-a-sub-search/m-p/203538#M59124 jkat54 2020-09-29T08:14:31Z https://community.splunk.com/t5/Splunk-Search/How-to-get-previous-search-results-as-a-sub-search/m-p/203539#M59125 <P>Just in case you haven't already checked it out have you seen the built in Triggered Alerts dashboard? <A href="https://your.splunk.instance:8000/en-US/alerts/search">https://your.splunk.instance:8000/en-US/alerts/search</A></P> <P>For you own custom one You might be better off having one dashboard that lists all the alerts using your search, then have a dynamic drilldown that links to <CODE>/app/search/search?q=|loadjob $relevantToken$</CODE></P> <P>Have a look at the documentation and examples here: <A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/Dynamicdrilldownindashboardsandforms">http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/Dynamicdrilldownindashboardsandforms</A></P> <P>And for the token values you can use for your drill down see this section: <A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/tokens#Define_tokens_for_dynamic_drilldown">http://docs.splunk.com/Documentation/Splunk/6.3.2/Viz/tokens#Define_tokens_for_dynamic_drilldown</A></P> Thu, 31 Dec 2015 10:32:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-previous-search-results-as-a-sub-search/m-p/203539#M59125 jplumsdaine22 2015-12-31T10:32:32Z https://community.splunk.com/t5/Splunk-Search/How-to-get-previous-search-results-as-a-sub-search/m-p/203540#M59126 <P>Both options actually work, thanks for your comments. However, for my particular requirement, I ended up building a dynamic drill down using the SID.</P> Tue, 05 Jan 2016 14:10:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-previous-search-results-as-a-sub-search/m-p/203540#M59126 cespinoz 2016-01-05T14:10:37Z