Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

how to replace a lookup part in the splunk query with a saved search?

pavanae
Builder
โ€Ž05-18-2018 07:43 AM

I have a query as below which gives some output

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[| inputlookup device_list.csv

| rename devip as my_ip ]

Now, I had created a small saved search to save the daily lookup result using the summery indexing concept like below

saved search name :- daily_device_list
search :-
| inputlookup device_list.csv

| rename devip as my_ip
scheduled :- once everyday
will save the results on index "summary"

Now, I am trying to replace my query with the saved search like below

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[index="summary" search_name="daily_device_list" ]

Which throws me an error as follows

Search Factory: Unknown search command 'index'.

Now, could someone assist me on what went wrong or how to modify my query to use the saved search "daily_device_list" by replacing the actuall query?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

solarboyz1
Builder
โ€Ž05-18-2018 07:53 AM

You need to put the search command in the box:

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[ search index="summary" search_name="daily_device_list" ]

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

solarboyz1
Builder
โ€Ž05-18-2018 07:53 AM

You need to put the search command in the box:

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[ search index="summary" search_name="daily_device_list" ]

View solution in original post

0 Karma
Reply