Basic question about scheduled search

jip31 · ‎11-15-2019

hello

In my dashboard, I use a scheduled search with a filter token because i have a dropdown list which allow me to do a filter by SITE
But I need to execute the stats command after the loadjob because I need to pick up all the 10 events (head 10) for a specific site
If I am doing the stats command directly in the savedsearch, I pick up all the 10 events (head 10) but for different sites
Is there a solution to solve the problem directly in the saved search because if I am doing the stats command afer the loadjob, its not very useful to use a scheduled search

| loadjob savedsearch="admin:SA_Monitoring_sh:Performances - Compliance host" 
| search SITE=$tok_filtersite|s$ 
| stats values(SITE) as SITE, count by host flag
| where isnotnull(flag) 
| rename host as Hostname, flag_patch_version as "Patch level", SITE as Site
| fields - count 
| table Hostname Site "Patch level" 
| sort +"Patch level" 
| head 10

thanks

gfreitas · ‎11-15-2019

You can change the saved search and remove the stats command from it. Other options would include create a new saved search with the same contents from the previous one and remove the stats and a third option is to use a macro with variables. The macro would filter the site. The macro can be pretty much the same as your saved search.

Basic question about scheduled search

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!

Are you a member of the Splunk Community?

Basic question about scheduled search

Splunk Observability as Code: From Zero to Dashboard

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Shape the Future of Splunk: Join the Product Research Lab!