Multiple base searches in one search

ektasardana · ‎11-07-2017

I have three base searches in my dashboard

 <query>....</query>


 <query>...</query>


 <query>...</query>

I need to show the results of each these queries in a single table, so I thought I can use multiple base searches, something like this

 <query>...</query>

Is there a way the above can be achieved?
Thanks!!

nick405060 · ‎04-09-2019

Yes, see

https://answers.splunk.com/answers/616340/is-it-possible-to-use-base-search-in-append-sub-se.html

Simply append multiple loadjobs. Also see:

https://answers.splunk.com/answers/738095/dashboard-search-optimization-only-run-searches-wh.html

elliotproebstel · ‎11-07-2017

Are you looking to append together the results of each search? I'm trying to understand the use case so that I can offer advice. There are probably many ways of achieving your end goal, so maybe you could give more details?

ektasardana · ‎11-07-2017

I have separate searches which all use a base search and calculate event duration.
Example: Base_search -> quite complex
search1 uses base_search results and output action1 duration
search2 uses base_search results and output action2 duration
search3 uses base_search results and output action3 duration

Now I want to display on a bar chart the durations with action on x axis and time on y axis.

PS: there is no easy way to combine all the results in one search, thats why I create separate searches

gcusello · ‎11-07-2017

No, in each panel you can use only one base search ti declare in search Tag.
If you want to speed up you sear h you have to use the Splunk acceleration methods.
Bye.
Giuseppe

nick405060 · ‎04-09-2019

I downvoted this post because no longer correct

Multiple base searches in one search

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?