Hello guys, I was wondering if it was possible to iterate over a scheduled search.
Let's say I have a scheduled search that I want to run for each distinct value of a field and then collect the results on different indexes.
it would be like:
index=_internal field=A <...search...> | collect index=myIndexA
then for B:
index=_internal field=B <...search...> | collect index=myIndexB
Since it will be a high volume of data, I can't collect all the data to the same index then extract from there.
Is there a way to do this using a script or with Splunk parameters?
Thanks in advance
Have you tried the map
command? http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Map
Something like,
index=_internal | stats count by field | eval idx="myIdx".field | table field idx | map search="index=_internal fields=$field$ ... search ... | collect index=$idx$"
Have you tried the map
command? http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Map
Something like,
index=_internal | stats count by field | eval idx="myIdx".field | table field idx | map search="index=_internal fields=$field$ ... search ... | collect index=$idx$"
Thanks sundareshr, I managed to do what I wanted with the map function.
Best Regards.