Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Run and append multiple savedsearches... AND pass tokens?

nick405060
Motivator
‎07-02-2019 03:30 PM

I'd like to run and append the results of multiple savedsearches into one aggregate report so that I can do analytics on the aggregate results. How can I do this?

Use case: have a user click submit in a dashboard, and then later receive an email with an aggregate user activity report on sessions, compiled from exchange, VPN, wineventlog, badge, duo, and other savedsearches. Inlining is not desired, and tokens are passed all the way from the dashboard to the savedsearches.

I can implement the use case but can't figure out how to make the report that is sent be aggregated from other savedsearches. You can append multiple jobs in a dashboard using

append [| loadjob "$job_sid_token1$"] | append [| loadjob "$job_sid_token2$"]

but I am not sure how to do it in a report. You can't

| append [| savedsearch ...] | append [| savedsearch ...]

since you can't pass tokens to an append... is there some way I can append multiple maps something like the following?

| map maxsearches=10000 search="| savedsearch REPORT1 passed_token=$passed_token$" | map maxsearches=10000 search="| savedsearch REPORT2 passed_token=$passed_token$"

... because that would solve my problem; you can use the savedsearch command in a map AND pass tokens.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nick405060
Motivator
‎07-02-2019 04:42 PM

Took me a while but @Yorokobi's answer in Slack usergroups ended up working:

In the aggregate report:

multireport [| savedsearch REPORT1 my_token="$my_token$"] [| savedsearch REPORT2 my_token="$my_token$"] [| savedsearch REPORT3 my_token="$my_token$"]

What tripped me up is that you have to be very careful when you have quotes around the tokens or not. My working solution has quotes around the tokens in the dashboard, in the aggregate report, and in the savedsearches

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nick405060
Motivator
‎07-02-2019 04:42 PM

Took me a while but @Yorokobi's answer in Slack usergroups ended up working:

In the aggregate report:

multireport [| savedsearch REPORT1 my_token="$my_token$"] [| savedsearch REPORT2 my_token="$my_token$"] [| savedsearch REPORT3 my_token="$my_token$"]

What tripped me up is that you have to be very careful when you have quotes around the tokens or not. My working solution has quotes around the tokens in the dashboard, in the aggregate report, and in the savedsearches

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...