How to use multiple saved searches for a single ta...

AKG1_old1 · ‎06-25-2019

Hi,
We are using a table in our dashboard and its output is based on multiple saved search.
How can I run multiple saved search in parallel and combined its result in a single table?

I have created below search which works fine but I am not be able to use in my dashboard.

| makeresults 
| eval ALERT="KPI_MXTIMING_MEM_LIVEBOOK_SESSION_FUNCTION" 
| append 
    [ makeresults 
    | eval ALERT="KPI_MXTIMING_LIVEBOOK_SESSION_CC_1MIN_FUNCTION"] 
| table ALERT 
| map  search="| savedsearch "$ALERT$" host_token=MX_Archival41 earliest_time_token=-10d"

When I add this search in the dashboard it says waiting for input. Reason is $ALERT$ in search which takes results from the first part of the search but on dashboard, even the first part won't run if there is any unassigned token present in search.

If I run this search directly it's working but not on the dashboard.

alt text

I am using mapping instead of append as there could be 10 saved searches and it will take longer to execute.
So I'm looking for a solution to run these saved search in parallel and produce results in a single table.

somesoni2 · ‎06-25-2019

Try this

| makeresults 
 | eval ALERT="KPI_MXTIMING_MEM_LIVEBOOK_SESSION_FUNCTION" 
 | append 
     [ makeresults 
     | eval ALERT="KPI_MXTIMING_LIVEBOOK_SESSION_CC_1MIN_FUNCTION"] 
 | table ALERT 
 | map  search="| savedsearch "$$ALERT$$" host_token=MX_Archival41 earliest_time_token=-10d"

AKG1_old1 · ‎06-25-2019

Brilliant !! @somesoni2 : Thank you. please update this as answer.

How to use multiple saved searches for a single table

Buttercup Games: Further Dashboarding Techniques (Part 4)

What You Read The Most: Splunk Lantern’s Most Popular Articles!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...