Solved: Saved "search components"?

jcfergus · ‎11-08-2011

From what I've been reading, I don't see that this is possible, but... Is there any way to create a saved search that is really just designed to be used as a component of another search?

For example, I'd like to be able to create a saved search called "field_filter", which simply contains:

|fields myfield1, myfield2, myfield3

(It would really be a much longer list of fields.) I'd then like to be able to pipe any other search through that filter. The obvious mechanisim would have been to use |savedsearch field_filter at the end of my primary search, but that doesn't work ("savedsearch must be the first item in a search"). Is this possible?

RicoSuave · ‎11-08-2011

You could do this with a macro. Take a look at the docs. Your search would then be something like my search | 'yourmacro'

View solution in original post

RicoSuave · ‎11-08-2011

You could do this with a macro. Take a look at the docs. Your search would then be something like my search | 'yourmacro'

jcfergus · ‎11-08-2011

Ah, well, that's annoyingly obvious now that I know the right terminology. sighs Thanks!

Saved "search components"?

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Changes to Splunk Instructor-Led Training Completion Criteria