Reporting

Using saved search as a "variable"

ajh11g
Explorer

I have a somewhat complex query that I am trying to execute. Essentially what I would like to do is use a saved search as a "variable" of sorts for another search.

The saved search would be something along the lines of:
host=*blah "etc" | stats count(host)

From there, I would think I could use the result of that saved search as a variable for another search, where math is being performed. So, what I envision the other to be:

search "etc2" | stats count(host) as hostCount| eval diff = savedSearch / hostCount

I've search around to see if this is possible, but I didn't find an conclusive results.

0 Karma
1 Solution

woodcock
Esteemed Legend

If you saved this as MySavedSearch:

host=*blah "etc" | stats count(host) AS hostCount

Then you can do this:

search "etc2" | stats count(host) as hostCount| eval diff = [| savedsearch MySavedSearch | return $hostCount] / hostCount 

View solution in original post

woodcock
Esteemed Legend

If you saved this as MySavedSearch:

host=*blah "etc" | stats count(host) AS hostCount

Then you can do this:

search "etc2" | stats count(host) as hostCount| eval diff = [| savedsearch MySavedSearch | return $hostCount] / hostCount 

woodcock
Esteemed Legend

Also, if you schedule MySavedSearch, you could also use loadjob to load the results of the previous run (instead of re-running it ad-hoc).

0 Karma

ajh11g
Explorer

Thanks! This did exactly what I was looking for.

0 Karma

woodcock
Esteemed Legend

Believe it or not, there is a command called savedsearch which allows you to templatize a saved search with tokens set from another search, exactly like how you templatize a dashboard panel with tokens set from the fieldset area.

http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Savedsearch

It works like this: You save this search as MyTemplatizedHostSearch:

index=foo sourcetype=bar host=$my_host$

Then, you call this from another search like this:

|savedsearch MyTemplatizedHostSearch my_host="MyHostValue"

The search that is run will be:

    index=foo sourcetype=bar host="MyHostValue"

masonmorales
Influencer

Yes. Here's an example of using the results from one search in the eval of another search:

index=_internal sourcetype=splunkd 
| stats dc(splunk_server) as firstcount 
| map search="search index=_internal sourcetype=splunkd | stats dc(host) as secondcount | eval diff=secondcount-$firstcount$"

You should be able to adapt that to your use case pretty easily. Also, check out: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

DalJeanis
SplunkTrust
SplunkTrust

"Saved search" is a technical term, and is not what you want here.

There are a lot of options to go about doing something like this.

One fairly trivial one is to run these two in order...

host=*blah "etc" 
| stats count(host) as mycount 
| table mycount 
| outputcsv mycount.csv

search "etc2" 
| stats count(host) as hostCount 
| append [| inputcsv mycount.csv ]
| stats sum(*) as * 
| eval diff = mycount / hostCount 

With simple searches like those, it is pretty easy to then combine them into a single search like this...

search "etc2" 
| stats count(host) as hostCount 
| append 
    [| search host=*blah "etc" 
     | stats count(host) as mycount 
     | table mycount ] 
| stats sum(*) as * 
| eval diff = mycount / hostCount 
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...