Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use an existing saved search/report as a subsearch?

TobiasBoone
Communicator
‎01-12-2017 09:09 AM

I'd like to prevent code / search syntax duplication; but often times I want to use the results of a saved search to be used as the query for a bigger search. Is there a way to call an existing saved search as a subsearch without simply duplicating the entire main search? This would make it MUCH easier to maintain code and simplify viewing big complex searches. I envision something like:

index=network sourcetype=cisco [call existing report MalwareHits | rename ip as query | fields query]

I know the search part works, but I hate to actually duplicate the entire malwarehits report inline.

Reply
1 Solution
Solved! Jump to solution
Solution

TobiasBoone
Communicator
‎01-12-2017 09:20 AM

loadjob uses the last results of a scheduled/previously run job (in my case an ldap query) so it won't work, but the SeeAlso on the page you provided gave me |savedsearch

http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

which is exactly what I needed! Thank you!

View solution in original post

Reply
Solved! Jump to solution

cmerriman
Super Champion
‎01-12-2017 09:21 AM

there is actually a savedsearch command that you can use in a subsearch.

https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

Reply
Solved! Jump to solution
Solution

TobiasBoone
Communicator
‎01-12-2017 09:20 AM

loadjob uses the last results of a scheduled/previously run job (in my case an ldap query) so it won't work, but the SeeAlso on the page you provided gave me |savedsearch

http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

which is exactly what I needed! Thank you!

Reply
Solved! Jump to solution

twinspop
Influencer
‎01-12-2017 09:16 AM

loadjob

https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Loadjob

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...