Re: Subsearch using loadjob not working

jamesvz84 · ‎07-09-2014

I try the following search:

| loadjob savedsearch="admin:app1:app1_view1" | fields hostname

This returns "hostname05" as a result.

I then try to embed this as a subsearch:

| loadjob savedsearch="admin:winapp:perfmon_results" | search object=Processor counter="% Processor Time" [| loadjob savedsearch="admin:app1:app1_view1" | fields hostname]

This return no results, however, if I do this:

   | loadjob savedsearch="admin:winapp:perfmon_results" | search object=Processor counter="% Processor Time" hostname="hostname05"

It returns many results. Why is the subsearch not working? Do I need to call loadjob differently? I've tried with and without the initial pipe.

sansay · ‎03-29-2016

Subsearch calling loadjob does not work. You get "Error in 'SearchOperator:loadjob': Cannot find artifacts for savedsearch_ident 'user:app:saved_search_name'.
Here is the query I used:
| loadjob savedsearch="user:app:saved_search_name_1" | append [| loadjob savedsearch="user:app:saved_search_name_2"]

somesoni2 · ‎07-09-2014

Try this.

| loadjob savedsearch="admin:winapp:perfmon_results" | search object=Processor counter="% Processor Time" [| loadjob savedsearch="admin:app1:app1_view1" | fields hostname | format "" "" "" "" "" ""]

Subsearch using loadjob not working

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation