Splunk Search

Is there a way to use post process searching for a subsearch instead of tacking it onto the front of subsequent searches as per norm?

kkas
Path Finder

So I have a subsearch that is the same in a couple panels and their searches, but I've been looking for a way to do that subsearch once and call those results into those panels.
I've only come across post process searching that seems to be in the right direction, but from all the examples I've seen, it doesn't allow you to use those results as a subsearch, but only as the basis search or front end of the search.

Is there a way to have a similar post process searching except for a subsearch statement?

Tags (2)
0 Karma
1 Solution

kkas
Path Finder

I'm just gonna bite the bullet and learn advanced xml to use sideview result setter module. It will also open up the opportunity to use different functions that aren't accessible in simple xml.

View solution in original post

0 Karma

kkas
Path Finder

I'm just gonna bite the bullet and learn advanced xml to use sideview result setter module. It will also open up the opportunity to use different functions that aren't accessible in simple xml.

0 Karma

MuS
SplunkTrust
SplunkTrust

Ask yourself a different question: Why do you need to run a subsearch? Usually you can avoid subsearches if you approach your goal in a different way.

0 Karma

kkas
Path Finder

The thing is, I was kind of looking for a way to use post process searching in a backway of storing a result and using it in multiple searches. For example, I have a user input network ID and I have a macro that generates their ip address. From this ip address, I am running multiple searches. Instead of having to run the macro for each search, I was looking for a way to run it once and store the result to use in the other searches. It seems the most widely used solution for this issue is just using advanced xml with sideview and using their result value setter module.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...