Reporting

scheduled report based on X number of search results

mcohen13
Loves-to-Learn

i have a query template already made.
i want to run this query on X (the number will change all the time) amount of distinct description that are being returned through another query.
how can i do that?

query that run on every distinct description:
index="event_raw_data" description="somedescription" | fillnull value="NO Description" description | timechart count by description useother=f

query that return the description:
index="event_raw_data" | table description | dedup description

i want to combine the two so that the first query will run on every distinct result of the first

Tags (1)
0 Karma

woodcock
Esteemed Legend

You need to program the first search by using the second search as a subsearch like this:

index="event_raw_data" [index="event_raw_data" | stats values(description) AS description] | timechart count by description useother=f
0 Karma

woodcock
Esteemed Legend

As far as creating/using one search as a template for another search, carefully read about savedsearch and all that it can do in this regard using placeholders:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch
0 Karma

woodcock
Esteemed Legend

That is what map is for, but beware of dangerous scaling:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Map

However, I strongly suspect that you are not accurately describing what you really need to do here.

0 Karma

somesoni2
Revered Legend

Try like this

index="event_raw_data" [search index="event_raw_data" ..other search terms if any...| stats count by description | table description] 
| timechart count by description useother=f
0 Karma

adonio
Ultra Champion

hope i understand your question
try this:
index="event_raw_data" description="somedescription" | timechart limit=0 count by description
let the timechart command dedup for you
as a side note, its always better to dedup before table

0 Karma
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...