Reporting

Using saved search as a "variable"

ajh11g
Explorer

I have a somewhat complex query that I am trying to execute. Essentially what I would like to do is use a saved search as a "variable" of sorts for another search.

The saved search would be something along the lines of:
host=*blah "etc" | stats count(host)

From there, I would think I could use the result of that saved search as a variable for another search, where math is being performed. So, what I envision the other to be:

search "etc2" | stats count(host) as hostCount| eval diff = savedSearch / hostCount

I've search around to see if this is possible, but I didn't find an conclusive results.

0 Karma
1 Solution

woodcock
Esteemed Legend

If you saved this as MySavedSearch:

host=*blah "etc" | stats count(host) AS hostCount

Then you can do this:

search "etc2" | stats count(host) as hostCount| eval diff = [| savedsearch MySavedSearch | return $hostCount] / hostCount 

View solution in original post

woodcock
Esteemed Legend

If you saved this as MySavedSearch:

host=*blah "etc" | stats count(host) AS hostCount

Then you can do this:

search "etc2" | stats count(host) as hostCount| eval diff = [| savedsearch MySavedSearch | return $hostCount] / hostCount 

woodcock
Esteemed Legend

Also, if you schedule MySavedSearch, you could also use loadjob to load the results of the previous run (instead of re-running it ad-hoc).

0 Karma

ajh11g
Explorer

Thanks! This did exactly what I was looking for.

0 Karma

woodcock
Esteemed Legend

Believe it or not, there is a command called savedsearch which allows you to templatize a saved search with tokens set from another search, exactly like how you templatize a dashboard panel with tokens set from the fieldset area.

http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Savedsearch

It works like this: You save this search as MyTemplatizedHostSearch:

index=foo sourcetype=bar host=$my_host$

Then, you call this from another search like this:

|savedsearch MyTemplatizedHostSearch my_host="MyHostValue"

The search that is run will be:

    index=foo sourcetype=bar host="MyHostValue"

masonmorales
Influencer

Yes. Here's an example of using the results from one search in the eval of another search:

index=_internal sourcetype=splunkd 
| stats dc(splunk_server) as firstcount 
| map search="search index=_internal sourcetype=splunkd | stats dc(host) as secondcount | eval diff=secondcount-$firstcount$"

You should be able to adapt that to your use case pretty easily. Also, check out: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

DalJeanis
Legend

"Saved search" is a technical term, and is not what you want here.

There are a lot of options to go about doing something like this.

One fairly trivial one is to run these two in order...

host=*blah "etc" 
| stats count(host) as mycount 
| table mycount 
| outputcsv mycount.csv

search "etc2" 
| stats count(host) as hostCount 
| append [| inputcsv mycount.csv ]
| stats sum(*) as * 
| eval diff = mycount / hostCount 

With simple searches like those, it is pretty easy to then combine them into a single search like this...

search "etc2" 
| stats count(host) as hostCount 
| append 
    [| search host=*blah "etc" 
     | stats count(host) as mycount 
     | table mycount ] 
| stats sum(*) as * 
| eval diff = mycount / hostCount 
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...