Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use multiple saved searches for a single table

AKG1_old1
Builder
‎06-25-2019 06:52 AM

Hi,
We are using a table in our dashboard and its output is based on multiple saved search.
How can I run multiple saved search in parallel and combined its result in a single table?

I have created below search which works fine but I am not be able to use in my dashboard. 

| makeresults 
| eval ALERT="KPI_MXTIMING_MEM_LIVEBOOK_SESSION_FUNCTION" 
| append 
    [ makeresults 
    | eval ALERT="KPI_MXTIMING_LIVEBOOK_SESSION_CC_1MIN_FUNCTION"] 
| table ALERT 
| map  search="| savedsearch "$ALERT$" host_token=MX_Archival41 earliest_time_token=-10d"

When I add this search in the dashboard it says waiting for input. Reason is $ALERT$ in search which takes results from the first part of the search but on dashboard, even the first part won't run if there is any unassigned token present in search.

If I run this search directly it's working but not on the dashboard.

alt text

I am using mapping instead of append as there could be 10 saved searches and it will take longer to execute.
So I'm looking for a solution to run these saved search in parallel and produce results in a single table.

Preview file
46 KB
0 Karma
Reply

somesoni2
Revered Legend
‎06-25-2019 07:00 AM

Try this

| makeresults 
 | eval ALERT="KPI_MXTIMING_MEM_LIVEBOOK_SESSION_FUNCTION" 
 | append 
     [ makeresults 
     | eval ALERT="KPI_MXTIMING_LIVEBOOK_SESSION_CC_1MIN_FUNCTION"] 
 | table ALERT 
 | map  search="| savedsearch "$$ALERT$$" host_token=MX_Archival41 earliest_time_token=-10d"
Reply

AKG1_old1
Builder
‎06-25-2019 07:08 AM

Brilliant !! @somesoni2 : Thank you. please update this as answer.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...