Splunk Search

Is it possible to use saved search RESULTS as a subsearch?

dspracklen
Path Finder

My problem with this is that the saved search takes longer than 60 seconds to run, so I only get partial answers if I try to run it as a subsearch. (it times out)

What is key about my question are the words 'saved search results'. I have created a saved search and set up another search to use it as a subsearch. The problem I encounter is that when used as a subsearch, the results are ignored and the saved search is run fresh. The saved search takes longer than 60 seconds to run, so I only get partial answers when it runs 'live' in a subsearch.

What I need is the ability to retrieve results from a saved search and use those as a subsearch so that I don't time out.

This is an abbreviated example of what I'm doing now. This just runs the saved search fresh for the subsearch instead of pulling the saved results.

sourcetype=Data_Input_File [savedsearch timeless_base_search] | ... etc ... | table IPAddress MACAddress

Tags (2)
1 Solution

sowings
Splunk Employee
Splunk Employee

Have you tried it with a pipe as the first character after the leading [ of the subsearch (e.g. [ | savedsearch timeless_base_search ]). If that still doesn't work for you, consider loadjob. An example might look like | loadjob savedsearch="admin:search:timeless_base_search"

Another thing you could consider is to constrain the runtime of the subsearch, even if you want a different search scope for the outer search. This can be done using the "earliest" and "latest" keywords in your subsearch.

View solution in original post

sowings
Splunk Employee
Splunk Employee

Have you tried it with a pipe as the first character after the leading [ of the subsearch (e.g. [ | savedsearch timeless_base_search ]). If that still doesn't work for you, consider loadjob. An example might look like | loadjob savedsearch="admin:search:timeless_base_search"

Another thing you could consider is to constrain the runtime of the subsearch, even if you want a different search scope for the outer search. This can be done using the "earliest" and "latest" keywords in your subsearch.

dspracklen
Path Finder

Excellent! The 'loadjob' advice worked like a charm. The pipe didn't solve this problem, but now with the other advice it all works as I'd hoped.

Thanks much!

0 Karma

dspracklen
Path Finder

I will give those first two options a try. It was also suggested to me that I have the internal saved search output to a lookup table and import THAT as the subsearch, effectively. (egads, trying to describe some of this clearly is difficulty)

As for the time constraints, that's not something I can change. That's why it's 'timeless' in this instance. I don't need to run it often, but I do need a full answer.

Thanks much for the comment. I'll let you know how those suggestions work.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...