Reporting

how to use inputlookup in subsearch

mvaradarajam
Path Finder

Hi All,
i have search like this,

|savedsearch [search index=_internal |eval tnow6 = now() | convert ctime(tnow6) | eval s=substr(tnow6,15,15) |eval r=substr(s,0,2)|eval SwitcherValue2=case(r%2=1,"alert1",r%2=0,"alert2")|dedup SwitcherValue2|return $SwitcherValue2]|table _time * threshold|makecontinuous _time

here alert1 and alert2 are the saved searches,but i am facing problem sometimes splunk deamon not response.i thought due to index search taken long time so my search has timed out.

how to use inputlookup instead of index="_internal".

here my query every 1 minute my saved search has changed.

can u plz help me

0 Karma
1 Solution

somesoni2
Revered Legend

Try this:

 |savedsearch [| stats count | eval r=tonumber(strftime(now(),"%M"))|eval SwitcherValue2=case(r%2=1,"alert1",r%2=0,"alert2")|dedup SwitcherValue2|return $SwitcherValue2]|table _time * threshold|makecontinuous _time

View solution in original post

somesoni2
Revered Legend

Try this:

 |savedsearch [| stats count | eval r=tonumber(strftime(now(),"%M"))|eval SwitcherValue2=case(r%2=1,"alert1",r%2=0,"alert2")|dedup SwitcherValue2|return $SwitcherValue2]|table _time * threshold|makecontinuous _time

somesoni2
Revered Legend

Then it should be some other problem. Check the error logs in _internal index to what is the problem.

Reference post:http://answers.splunk.com/answers/50485/splunkd-daemon-is-not-responding-the-read-operation-timed-ou...

0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...