Re: Using a Scheduled Saved Search as a base searc...

joydeep741 · ‎05-25-2015

Requirement :
I have a dashboard which has a base search and three post process searches.
Now, i want to make the base search as a scheduled report and replace the original base search with this scheduled report. How should i do this ?

< searchTemplate >Scheduled Report< /searchTemplate >
< postProcessSearch > 1 < /postProcessSearch>
< postProcessSearch > 2 < /postProcessSearch>
< postProcessSearch > 3 < /postProcessSearch>

I tried <\ searchTemplate ref="report_name" > but did not work.

grantjansen · ‎08-18-2015

Simple XML example on Version 6.2.2
Create a real time saved search named "RT_SavedSearch". For this example: index=_internal | head 1000

<form>
  <label>Post Process Saved Real-time Search</label>
  <description></description>
  <search id="BaseSearch" ref="RT_SavedSearch">
  </search>
  <row>
    <chart>
      <title>Events over Time(First)</title>
      <search base="BaseSearch">
        <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>
    <table>
      <title>Top Sourcetypes(First)</title>
      <search base="BaseSearch">
        <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
      </search>
      <option name="displayRowNumbers">true</option>
    </table>
  </row>
</form>

intelsubham · ‎05-26-2015

Suppose your scheduled Report Name is "Report1"

First refer it under search separately:

<search id="MainSearch" ref="Report1">
      <query></query>
 </search>

Then in visualizations,

 <chart>
      <title>Events over Time</title>
      <search base="MainSearch">
          <query>timechart count</query>
      </search>
      <option name="charting.chart">column</option>
    </chart>

<table>
  <title>Top Sourcetypes</title>
  <search base="MainSearch">
      <query>top limit=100 sourcetype | eval percent = round(percent,2)</query>
  </search>
  <option name="displayRowNumbers">true</option>
</table>

millarma · ‎12-19-2017

Here is how I did it. I used loadjob to call a specific report and then piped it to a search command that includes tokens

|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$

Here is what it looks like in XML Look up loadjob for more info.

<panel>
  <input type="text" token="UserName" searchWhenChanged="true">
    <label>UserName</label>
    <suffix>*</suffix>
    <default>*</default>
  </input>
  <table>
    <title>Table of Clipping and Signal to Noise Ratio activity By Group</title>
    <search>
      <query>|loadjob savedsearch="admin:search:Table of Clipping and Signal to Noise Ratio activity By UserName" | search UserName=$UserName$</query>
      <earliest>$earliest$</earliest>
      <latest>$latest$</latest>
    </search>
    <option name="count">10</option>
    <option name="drilldown">none</option>
    <option name="refresh.display">progressbar</option>
  </table>
</panel>

gjanders · ‎08-19-2016

Please note that using the above example in Splunk version 6.4, you need to remove the empty <query></query> from the <search id="MainSearch" ref="Report1"> for the above example to work...

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

joydeep741 · ‎05-26-2015

<search> <query> does not work in splunk v6.0.
Any suggestions for my version.

intelsubham · ‎05-27-2015

well i am using ver. 6.2.1, and it works fine. (Simple XML)

Using a Scheduled Saved Search as a base search in dashboard with post processing searches.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation