Solved: Saved "search components"?

jcfergus · ‎11-08-2011

From what I've been reading, I don't see that this is possible, but... Is there any way to create a saved search that is really just designed to be used as a component of another search?

For example, I'd like to be able to create a saved search called "field_filter", which simply contains:

|fields myfield1, myfield2, myfield3

(It would really be a much longer list of fields.) I'd then like to be able to pipe any other search through that filter. The obvious mechanisim would have been to use |savedsearch field_filter at the end of my primary search, but that doesn't work ("savedsearch must be the first item in a search"). Is this possible?

RicoSuave · ‎11-08-2011

You could do this with a macro. Take a look at the docs. Your search would then be something like my search | 'yourmacro'

View solution in original post

RicoSuave · ‎11-08-2011

You could do this with a macro. Take a look at the docs. Your search would then be something like my search | 'yourmacro'

jcfergus · ‎11-08-2011

Ah, well, that's annoyingly obvious now that I know the right terminology. sighs Thanks!

Saved "search components"?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation