Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

multiple base search

secure
Path Finder
‎02-05-2025 07:58 AM

Hi i have a complex base search where iam comparing data from two indexes using left join and getting the results in a table query is working fine but its very slow

so i have now decided to split it into two base searches and then combine them in the panel 

index=serverdata
  | rex "host_name=\"(?<server_host_name>[^\"]*)"
| lookup servers_businessgroup_appcode.csv appcode  output Business_Group as New_Business_Group
|chart dc(host_name) over appcode  by  host_environment
| eval TOTAL_servers=DEV+PAT+PROD
| table appcode DEV PAT PROD TOTAL_servers

 

2nd Base search 

index=abc 
| rex field=data "\|(?<server_name>[^\.|]+)?\|(?<appcode>[^\|]+)?\|"
| lookup servers_businessgroup_appcode.csv appcode  output Business_Group as New_Business_Group

 i want to use this in third panel  combine both the searches using a left join and get the list of servers details in both the index 

question how can i use two base searches in a single search 

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-05-2025 04:34 PM

Technically you could use both base searches, but it's a bit fiddly and isn't really going to save you anything as the searches have to run anyway. You would get the job ids of each base search and then in your panel search you would use loadjob to load each of the jobs.  However, you're still going to have to load the second job in some kind of subsearch (join?) so not sure where you're trying to go with this.

If you are simply trying to speed up a join search, you can't achieve this with two base searches, as you are simply not changing anything and it will take the time it takes.

The solution for a poor performing search using join is to remove the use of join and rewrite the search in another way.

Looking at your existing searches I'm not sure why you are trying to combine these in the first place, because you have appcode in your first search and you simply want appcode to get the list of details from the lookup.

You are doing a lookup in the primary search but doing nothing with the retrieved data. Why don't you just do the lookup in your primary search after the chart, i.e.

index=serverdata
  | rex "host_name=\"(?&lt;server_host_name&gt;[^\"]*)"
|chart dc(host_name) over appcode  by  host_environment
| eval TOTAL_servers=DEV+PAT+PROD
| table appcode DEV PAT PROD TOTAL_servers
| lookup servers_businessgroup_appcode.csv appcode  output Business_Group as New_Business_Group

 

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎02-05-2025 11:58 AM

Hi @secure as @gcusello stated you can have only one base search.

What would it mean to have 2 in a panel?  The base search just returns the results so how could you use 2 together?

I am not sure if this helps but you can have a base search use another base search.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-05-2025 08:03 AM

Hi @secure ,

in a dashboard it's possible to define more base searches, but in each panel, it's possible to use only one base search, not more.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games Tutorial Extension - part 9

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games Tutorial Extension - part 8

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
li.common.scroll-to.top