Splunk Search

how to replace a lookup part in the splunk query with a saved search?

pavanae
Builder

I have a query as below which gives some output

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[| inputlookup device_list.csv

| rename devip as my_ip ]

Now, I had created a small saved search to save the daily lookup result using the summery indexing concept like below

saved search name :- daily_device_list
search :-
| inputlookup device_list.csv

| rename devip as my_ip
scheduled :- once everyday
will save the results on index "summary"

Now, I am trying to replace my query with the saved search like below

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[index="summary" search_name="daily_device_list" ]

Which throws me an error as follows

Search Factory: Unknown search command 'index'.

Now, could someone assist me on what went wrong or how to modify my query to use the saved search "daily_device_list" by replacing the actuall query?

0 Karma
1 Solution

solarboyz1
Builder

You need to put the search command in the box:

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[ search index="summary" search_name="daily_device_list" ]

View solution in original post

0 Karma

solarboyz1
Builder

You need to put the search command in the box:

index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[ search index="summary" search_name="daily_device_list" ]

0 Karma
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...