Splunk Search

How to use a value without including it in search results


I am running a map command off of an initial search. The map ends with a sendemail command which sends a table of results.
I would like to send a message that computes totals and other stats on this table -- however, I would not like to include this data as a totals row the table/search results, only in the message.

In other words, the whole email would look something like:

Subject: Alert condition triggered

Sum(Field 1) of type X results: 524

    Table of results
    | Field 1 | Field 2 | ...     

I know this can be done by running yet another subsearch for the "message" parameter in Splunk. However, this means I'm effectively running the same search twice... when performance-wise it would be better to just run the stats off of the table after it is generated. I know how to implement this in a dashboard with base searches, but I would like to know how to do this in 1 search. I think the problem is that there is no "scope" outside of the search results to which I can write a variable. I can think of a clunky solution using lookup/outputlookup.

Is there some way to maybe pipe the table into a separate subsearch that generates a variable/token but does not actually append to the main search?

0 Karma

Esteemed Legend

The way that we did this was to run a base search and capture the SID using the addinfo command to get info_sid and then using |loadjob <SID here> in the other part of the search. This works great, except it makes the drilldown funky because it starts with | loadjob obscuring the base search.

0 Karma