I have a query as below which gives some output
index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[| inputlookup device_list.csv
| rename devip as my_ip ]
Now, I had created a small saved search to save the daily lookup result using the summery indexing concept like below
saved search name :- daily_device_list
search :-
| inputlookup device_list.csv
| rename devip as my_ip
scheduled :- once everyday
will save the results on index "summary"
Now, I am trying to replace my query with the saved search like below
index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[index="summary" search_name="daily_device_list" ]
Which throws me an error as follows
Search Factory: Unknown search command 'index'.
Now, could someone assist me on what went wrong or how to modify my query to use the saved search "daily_device_list" by replacing the actuall query?
You need to put the search command in the box:
index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[ search index="summary" search_name="daily_device_list" ]
You need to put the search command in the box:
index="summary" search_name="ABC"
| dedup hostname
| join type=outer ip_address
[ search index="summary" search_name="daily_device_list" ]