Hi,
Is it possible to save SPL command into one new command and use it when running a query?
For example:
| dedup 1 id | stats count by hostname ----> my_command
When running a query, I want to use it as:
| my_command
How can I do that?
Thanks
you can use Search macros.
https://docs.splunk.com/Documentation/Splunk/7.3.1/Knowledge/Usesearchmacros
If you saved this as MySavedSearch
| dedup 1 id | stats count by hostname
Then you can do this:
| savedsearch MySavedSearch
Also, if you schedule MySavedSearch, you could also use loadjob to load the results of the previous run (instead of re-running it ad-hoc).