Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use an existing saved search/report as a subsearch?

TobiasBoone
Communicator
‎01-12-2017 09:09 AM

I'd like to prevent code / search syntax duplication; but often times I want to use the results of a saved search to be used as the query for a bigger search. Is there a way to call an existing saved search as a subsearch without simply duplicating the entire main search? This would make it MUCH easier to maintain code and simplify viewing big complex searches. I envision something like:

index=network sourcetype=cisco [call existing report MalwareHits | rename ip as query | fields query]

I know the search part works, but I hate to actually duplicate the entire malwarehits report inline.

Reply
1 Solution
Solved! Jump to solution
Solution

TobiasBoone
Communicator
‎01-12-2017 09:20 AM

loadjob uses the last results of a scheduled/previously run job (in my case an ldap query) so it won't work, but the SeeAlso on the page you provided gave me |savedsearch

http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

which is exactly what I needed! Thank you!

View solution in original post

Reply
Solved! Jump to solution

cmerriman
Super Champion
‎01-12-2017 09:21 AM

there is actually a savedsearch command that you can use in a subsearch.

https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

Reply
Solved! Jump to solution
Solution

TobiasBoone
Communicator
‎01-12-2017 09:20 AM

loadjob uses the last results of a scheduled/previously run job (in my case an ldap query) so it won't work, but the SeeAlso on the page you provided gave me |savedsearch

http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

which is exactly what I needed! Thank you!

Reply
Solved! Jump to solution

twinspop
Influencer
‎01-12-2017 09:16 AM

loadjob

https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Loadjob

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...