Reporting

Using saved search as a "variable"

ajh11g
Explorer

I have a somewhat complex query that I am trying to execute. Essentially what I would like to do is use a saved search as a "variable" of sorts for another search.

The saved search would be something along the lines of:
host=*blah "etc" | stats count(host)

From there, I would think I could use the result of that saved search as a variable for another search, where math is being performed. So, what I envision the other to be:

search "etc2" | stats count(host) as hostCount| eval diff = savedSearch / hostCount

I've search around to see if this is possible, but I didn't find an conclusive results.

0 Karma
1 Solution

woodcock
Esteemed Legend

If you saved this as MySavedSearch:

host=*blah "etc" | stats count(host) AS hostCount

Then you can do this:

search "etc2" | stats count(host) as hostCount| eval diff = [| savedsearch MySavedSearch | return $hostCount] / hostCount 

View solution in original post

woodcock
Esteemed Legend

If you saved this as MySavedSearch:

host=*blah "etc" | stats count(host) AS hostCount

Then you can do this:

search "etc2" | stats count(host) as hostCount| eval diff = [| savedsearch MySavedSearch | return $hostCount] / hostCount 

woodcock
Esteemed Legend

Also, if you schedule MySavedSearch, you could also use loadjob to load the results of the previous run (instead of re-running it ad-hoc).

0 Karma

ajh11g
Explorer

Thanks! This did exactly what I was looking for.

0 Karma

woodcock
Esteemed Legend

Believe it or not, there is a command called savedsearch which allows you to templatize a saved search with tokens set from another search, exactly like how you templatize a dashboard panel with tokens set from the fieldset area.

http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Savedsearch

It works like this: You save this search as MyTemplatizedHostSearch:

index=foo sourcetype=bar host=$my_host$

Then, you call this from another search like this:

|savedsearch MyTemplatizedHostSearch my_host="MyHostValue"

The search that is run will be:

    index=foo sourcetype=bar host="MyHostValue"

masonmorales
Influencer

Yes. Here's an example of using the results from one search in the eval of another search:

index=_internal sourcetype=splunkd 
| stats dc(splunk_server) as firstcount 
| map search="search index=_internal sourcetype=splunkd | stats dc(host) as secondcount | eval diff=secondcount-$firstcount$"

You should be able to adapt that to your use case pretty easily. Also, check out: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

DalJeanis
Legend

"Saved search" is a technical term, and is not what you want here.

There are a lot of options to go about doing something like this.

One fairly trivial one is to run these two in order...

host=*blah "etc" 
| stats count(host) as mycount 
| table mycount 
| outputcsv mycount.csv

search "etc2" 
| stats count(host) as hostCount 
| append [| inputcsv mycount.csv ]
| stats sum(*) as * 
| eval diff = mycount / hostCount 

With simple searches like those, it is pretty easy to then combine them into a single search like this...

search "etc2" 
| stats count(host) as hostCount 
| append 
    [| search host=*blah "etc" 
     | stats count(host) as mycount 
     | table mycount ] 
| stats sum(*) as * 
| eval diff = mycount / hostCount 
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...