Solved: Re: Saved "search components"?

jcfergus · ‎11-08-2011

From what I've been reading, I don't see that this is possible, but... Is there any way to create a saved search that is really just designed to be used as a component of another search?

For example, I'd like to be able to create a saved search called "field_filter", which simply contains:

|fields myfield1, myfield2, myfield3

(It would really be a much longer list of fields.) I'd then like to be able to pipe any other search through that filter. The obvious mechanisim would have been to use |savedsearch field_filter at the end of my primary search, but that doesn't work ("savedsearch must be the first item in a search"). Is this possible?

RicoSuave · ‎11-08-2011

You could do this with a macro. Take a look at the docs. Your search would then be something like my search | 'yourmacro'

View solution in original post

RicoSuave · ‎11-08-2011

You could do this with a macro. Take a look at the docs. Your search would then be something like my search | 'yourmacro'

jcfergus · ‎11-08-2011

Ah, well, that's annoyingly obvious now that I know the right terminology. sighs Thanks!

Saved "search components"?

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!