Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to use saved search RESULTS as a subsearch?

dspracklen
Path Finder
‎10-26-2012 09:56 AM

My problem with this is that the saved search takes longer than 60 seconds to run, so I only get partial answers if I try to run it as a subsearch. (it times out)

What is key about my question are the words 'saved search results'. I have created a saved search and set up another search to use it as a subsearch. The problem I encounter is that when used as a subsearch, the results are ignored and the saved search is run fresh. The saved search takes longer than 60 seconds to run, so I only get partial answers when it runs 'live' in a subsearch.

What I need is the ability to retrieve results from a saved search and use those as a subsearch so that I don't time out.

This is an abbreviated example of what I'm doing now. This just runs the saved search fresh for the subsearch instead of pulling the saved results.

sourcetype=Data_Input_File [savedsearch timeless_base_search] | ... etc ... | table IPAddress MACAddress

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎10-26-2012 10:56 AM

Have you tried it with a pipe as the first character after the leading [ of the subsearch (e.g. [ | savedsearch timeless_base_search ]). If that still doesn't work for you, consider loadjob. An example might look like | loadjob savedsearch="admin:search:timeless_base_search"

Another thing you could consider is to constrain the runtime of the subsearch, even if you want a different search scope for the outer search. This can be done using the "earliest" and "latest" keywords in your subsearch.

View solution in original post

Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎10-26-2012 10:56 AM

Have you tried it with a pipe as the first character after the leading [ of the subsearch (e.g. [ | savedsearch timeless_base_search ]). If that still doesn't work for you, consider loadjob. An example might look like | loadjob savedsearch="admin:search:timeless_base_search"

Another thing you could consider is to constrain the runtime of the subsearch, even if you want a different search scope for the outer search. This can be done using the "earliest" and "latest" keywords in your subsearch.

Reply
Solved! Jump to solution

dspracklen
Path Finder
‎10-26-2012 11:59 AM

Excellent! The 'loadjob' advice worked like a charm. The pipe didn't solve this problem, but now with the other advice it all works as I'd hoped.

Thanks much!

0 Karma
Reply
Solved! Jump to solution

dspracklen
Path Finder
‎10-26-2012 11:20 AM

I will give those first two options a try. It was also suggested to me that I have the internal saved search output to a lookup table and import THAT as the subsearch, effectively. (egads, trying to describe some of this clearly is difficulty)

As for the time constraints, that's not something I can change. That's why it's 'timeless' in this instance. I don't need to run it often, but I do need a full answer.

Thanks much for the comment. I'll let you know how those suggestions work.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...