Splunk Search

how to replace a lookup part in the splunk query with a saved search?

Builder

I have a query as below which gives some output

index="summary" searchname="ABC"
| dedup hostname
| join type=outer ip
address
[| inputlookup devicelist.csv

| rename devip as my
ip ]

Now, I had created a small saved search to save the daily lookup result using the summery indexing concept like below

saved search name :- dailydevicelist
search :-
| inputlookup devicelist.csv

| rename devip as my
ip
scheduled :- once everyday
will save the results on index "summary"

Now, I am trying to replace my query with the saved search like below

index="summary" searchname="ABC"
| dedup hostname
| join type=outer ip
address
[index="summary" searchname="dailydevice_list" ]

Which throws me an error as follows

Search Factory: Unknown search command 'index'.

Now, could someone assist me on what went wrong or how to modify my query to use the saved search "dailydevicelist" by replacing the actuall query?

0 Karma
1 Solution

Builder

You need to put the search command in the box:

index="summary" searchname="ABC"
| dedup hostname
| join type=outer ip
address
[ search index="summary" searchname="dailydevice_list" ]

View solution in original post

0 Karma

Builder

You need to put the search command in the box:

index="summary" searchname="ABC"
| dedup hostname
| join type=outer ip
address
[ search index="summary" searchname="dailydevice_list" ]

View solution in original post

0 Karma