Dashboards & Visualizations

Run and append multiple savedsearches... AND pass tokens?

nick405060
Motivator

I'd like to run and append the results of multiple savedsearches into one aggregate report so that I can do analytics on the aggregate results. How can I do this?

Use case: have a user click submit in a dashboard, and then later receive an email with an aggregate user activity report on sessions, compiled from exchange, VPN, wineventlog, badge, duo, and other savedsearches. Inlining is not desired, and tokens are passed all the way from the dashboard to the savedsearches.

I can implement the use case but can't figure out how to make the report that is sent be aggregated from other savedsearches. You can append multiple jobs in a dashboard using

append [| loadjob "$job_sid_token1$"] | append [| loadjob "$job_sid_token2$"]

but I am not sure how to do it in a report. You can't

| append [| savedsearch ...] | append [| savedsearch ...]

since you can't pass tokens to an append... is there some way I can append multiple maps something like the following?

| map maxsearches=10000 search="| savedsearch REPORT1 passed_token=$passed_token$" | map maxsearches=10000 search="| savedsearch REPORT2 passed_token=$passed_token$"

... because that would solve my problem; you can use the savedsearch command in a map AND pass tokens.

0 Karma
1 Solution

nick405060
Motivator

Took me a while but @Yorokobi's answer in Slack usergroups ended up working:

In the aggregate report:

multireport [| savedsearch REPORT1 my_token="$my_token$"] [| savedsearch REPORT2 my_token="$my_token$"] [| savedsearch REPORT3 my_token="$my_token$"]

What tripped me up is that you have to be very careful when you have quotes around the tokens or not. My working solution has quotes around the tokens in the dashboard, in the aggregate report, and in the savedsearches

View solution in original post

0 Karma

nick405060
Motivator

Took me a while but @Yorokobi's answer in Slack usergroups ended up working:

In the aggregate report:

multireport [| savedsearch REPORT1 my_token="$my_token$"] [| savedsearch REPORT2 my_token="$my_token$"] [| savedsearch REPORT3 my_token="$my_token$"]

What tripped me up is that you have to be very careful when you have quotes around the tokens or not. My working solution has quotes around the tokens in the dashboard, in the aggregate report, and in the savedsearches

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...