Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Basic question about scheduled search

jip31
Motivator
‎11-15-2019 02:37 AM

hello

In my dashboard, I use a scheduled search with a filter token because i have a dropdown list which allow me to do a filter by SITE
But I need to execute the stats command after the loadjob because I need to pick up all the 10 events (head 10) for a specific site
If I am doing the stats command directly in the savedsearch, I pick up all the 10 events (head 10) but for different sites
Is there a solution to solve the problem directly in the saved search because if I am doing the stats command afer the loadjob, its not very useful to use a scheduled search

| loadjob savedsearch="admin:SA_Monitoring_sh:Performances - Compliance host" 
| search SITE=$tok_filtersite|s$ 
| stats values(SITE) as SITE, count by host flag
| where isnotnull(flag) 
| rename host as Hostname, flag_patch_version as "Patch level", SITE as Site
| fields - count 
| table Hostname Site "Patch level" 
| sort +"Patch level" 
| head 10

thanks

Tags (1)
0 Karma
Reply

gfreitas
Builder
‎11-15-2019 04:48 AM

You can change the saved search and remove the stats command from it. Other options would include create a new saved search with the same contents from the previous one and remove the stats and a third option is to use a macro with variables. The macro would filter the site. The macro can be pretty much the same as your saved search.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...