Basic question about scheduled search

jip31 · ‎11-15-2019

hello

In my dashboard, I use a scheduled search with a filter token because i have a dropdown list which allow me to do a filter by SITE
But I need to execute the stats command after the loadjob because I need to pick up all the 10 events (head 10) for a specific site
If I am doing the stats command directly in the savedsearch, I pick up all the 10 events (head 10) but for different sites
Is there a solution to solve the problem directly in the saved search because if I am doing the stats command afer the loadjob, its not very useful to use a scheduled search

| loadjob savedsearch="admin:SA_Monitoring_sh:Performances - Compliance host" 
| search SITE=$tok_filtersite|s$ 
| stats values(SITE) as SITE, count by host flag
| where isnotnull(flag) 
| rename host as Hostname, flag_patch_version as "Patch level", SITE as Site
| fields - count 
| table Hostname Site "Patch level" 
| sort +"Patch level" 
| head 10

thanks

gfreitas · ‎11-15-2019

You can change the saved search and remove the stats command from it. Other options would include create a new saved search with the same contents from the previous one and remove the stats and a third option is to use a macro with variables. The macro would filter the site. The macro can be pretty much the same as your saved search.

Basic question about scheduled search

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023