Splunk Search

Is there a way to run a batch of savedqueries using splunk rather than python or REST?

iTechEvent
Explorer

| savedquery Q1 -> this runs okay

| savedquery Q1 | savedquery Q2 -> not okay. splunk error.

| savedquery Q1, Q2 -> not okay, splunk error.

| savedsearch Q1 | append [savedsearch Q2 ] | append [savedsearch Q3 ] | append [savedsearch Q4] --> okay and runs, but once the first one runs, not the rest.

Is it possible run a batch of saved queries in splunk?
Is automation using python, rest the only choice?

I am trying to keep it simple if possible. Anything I can try?

Tags (2)
0 Karma

iTechEvent
Explorer

First the 2 queries need to be run one after the other since the first creates a csv files which second query reads. There needs to be serial than parallel execution.

Is there a serial search version of multisearch which runs queries at the same time?

0 Karma

jonuwz
Influencer

What are you actually trying to achieve by doing this ? Have the output of all the savedsearches on the dashboard ?

If so - try this

0 Karma

iTechEvent
Explorer

Its good if I can run the rest command from splunk itself, 2 queries one after the other, preferable checking the status for successful completion.

| rest /servicesNS/admin/search/saved/searches | search title="*threshold"

Then you can add

| map maxsearches=20 search="| savedsearch \"$title$\" | eval savedsearch=\"$title$\" "

The 2 queries have different earliest and latest values and cant be run with the same time values. It looks like that is still a constraint and the above wont work.

Any other suggestions?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

In case multisearch doesn't work, you can have all your saved searches running in dashboard panels and can schedule dashboard to run at a schedule.

0 Karma

mbenwell
Communicator

You could try the multisearch command

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...