I have a saved search that will take a 'host' parameter, like the following:
|savedsearch "searchName" host="hostName"
|savedsearch "searchName" host="hostName1" OR host="hostName2"
Do you have any suggestions on how to include two different specific hosts in this situation?
This is with Splunk version 5.0.4
Define your saved search like this:
index=_internal $host$
and call it like this:
| savedsearch host_search host="host=foo OR host=bar"
That'll run a search like this behind the scenes:
index=_internal host=foo OR host=bar
Define your saved search like this:
index=_internal $host$
and call it like this:
| savedsearch host_search host="host=foo OR host=bar"
That'll run a search like this behind the scenes:
index=_internal host=foo OR host=bar
That is exactly what I needed. I had it defined as host=$host$ before. This solves it. Thanks!
What about this one?
| foreach hostName1 hostName2 [ savedsearch "searchName" host="<<FIELD>>" ]
That may work for the most recent Splunk, but I'm on 5.0.4, which does not have that command yet. I edited the description to add the version number.
Would this work?
|savedsearch "searchName" host="hostName1"
| append [ savedsearch "searchName" host="hostName2" ]
When doing that, I get this error:
Error in 'SearchParser': Found circular dependency when expanding savedsearch="searchName"