Dashboards & Visualizations

Run and append multiple savedsearches... AND pass tokens?

nick405060
Motivator

I'd like to run and append the results of multiple savedsearches into one aggregate report so that I can do analytics on the aggregate results. How can I do this?

Use case: have a user click submit in a dashboard, and then later receive an email with an aggregate user activity report on sessions, compiled from exchange, VPN, wineventlog, badge, duo, and other savedsearches. Inlining is not desired, and tokens are passed all the way from the dashboard to the savedsearches.

I can implement the use case but can't figure out how to make the report that is sent be aggregated from other savedsearches. You can append multiple jobs in a dashboard using

append [| loadjob "$job_sid_token1$"] | append [| loadjob "$job_sid_token2$"]

but I am not sure how to do it in a report. You can't

| append [| savedsearch ...] | append [| savedsearch ...]

since you can't pass tokens to an append... is there some way I can append multiple maps something like the following?

| map maxsearches=10000 search="| savedsearch REPORT1 passed_token=$passed_token$" | map maxsearches=10000 search="| savedsearch REPORT2 passed_token=$passed_token$"

... because that would solve my problem; you can use the savedsearch command in a map AND pass tokens.

0 Karma
1 Solution

nick405060
Motivator

Took me a while but @Yorokobi's answer in Slack usergroups ended up working:

In the aggregate report:

multireport [| savedsearch REPORT1 my_token="$my_token$"] [| savedsearch REPORT2 my_token="$my_token$"] [| savedsearch REPORT3 my_token="$my_token$"]

What tripped me up is that you have to be very careful when you have quotes around the tokens or not. My working solution has quotes around the tokens in the dashboard, in the aggregate report, and in the savedsearches

View solution in original post

0 Karma

nick405060
Motivator

Took me a while but @Yorokobi's answer in Slack usergroups ended up working:

In the aggregate report:

multireport [| savedsearch REPORT1 my_token="$my_token$"] [| savedsearch REPORT2 my_token="$my_token$"] [| savedsearch REPORT3 my_token="$my_token$"]

What tripped me up is that you have to be very careful when you have quotes around the tokens or not. My working solution has quotes around the tokens in the dashboard, in the aggregate report, and in the savedsearches

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...