Splunk Search

How to use an existing saved search/report as a subsearch?

TobiasBoone
Communicator

I'd like to prevent code / search syntax duplication; but often times I want to use the results of a saved search to be used as the query for a bigger search. Is there a way to call an existing saved search as a subsearch without simply duplicating the entire main search? This would make it MUCH easier to maintain code and simplify viewing big complex searches. I envision something like:

index=network sourcetype=cisco [call existing report MalwareHits | rename ip as query | fields query]

I know the search part works, but I hate to actually duplicate the entire malwarehits report inline.

1 Solution

TobiasBoone
Communicator

loadjob uses the last results of a scheduled/previously run job (in my case an ldap query) so it won't work, but the SeeAlso on the page you provided gave me |savedsearch

http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

which is exactly what I needed! Thank you!

View solution in original post

cmerriman
Super Champion

there is actually a savedsearch command that you can use in a subsearch.

https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

TobiasBoone
Communicator

loadjob uses the last results of a scheduled/previously run job (in my case an ldap query) so it won't work, but the SeeAlso on the page you provided gave me |savedsearch

http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

which is exactly what I needed! Thank you!

twinspop
Influencer
0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...