Splunk Search

Search Alias

New Member

I'm new on Splunk
It's possible to give an alias to a search?

I'm trying to do something like this:
index=Obs1 AS A or index= sourcetype =OBS2 AS B | eval mynormalizesidField=(If(index=="A",ID,ID))

What is the best way to give an alias to a complete search?

0 Karma


Haha, the answers are exactly what I was looking for 🙂
However, it seems to me that it is really different from what the OP was asking for...
I think that most likely what you wished for is this :
| multisearch [search index=Obs1 | eval alias= "A"] [search index=* sourcetype =OBS2 | eval alias="B"] | eval mynormalizesidField=(If(alias=="A",ID,ID))
Basically, you run two differents search, mark in one field which corresponds to which and then do your formating (which you could easily conduct in the respective searches btw 😉 )

I guess the answer is quite late though... But might be upvoted if someone having the same problem as you find this post (quite unlinkely IMHO, since I guess the question is kind of named in a measleading way...)

I do not dare upvote the answers that helped me since objectively I do not think it answers the OP, but still thank you !

Edit: Link to multisearch Official Documentation : http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Multisearch

0 Karma

Revered Legend

You can create a saved search with this search string and then use it like this

| savedsearch "name of your saved search"

See this for saving search http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchTutorial/Aboutsavingandsharingreports
More info on savedsearch commadn http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Savedsearch

0 Karma


May be the best way for you is to use search macro.

0 Karma