Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

multiple base search

secure
Path Finder
‎02-05-2025 07:58 AM

Hi i have a complex base search where iam comparing data from two indexes using left join and getting the results in a table query is working fine but its very slow

so i have now decided to split it into two base searches and then combine them in the panel 

index=serverdata
  | rex "host_name=\"(?<server_host_name>[^\"]*)"
| lookup servers_businessgroup_appcode.csv appcode  output Business_Group as New_Business_Group
|chart dc(host_name) over appcode  by  host_environment
| eval TOTAL_servers=DEV+PAT+PROD
| table appcode DEV PAT PROD TOTAL_servers

 

2nd Base search 

index=abc 
| rex field=data "\|(?<server_name>[^\.|]+)?\|(?<appcode>[^\|]+)?\|"
| lookup servers_businessgroup_appcode.csv appcode  output Business_Group as New_Business_Group

 i want to use this in third panel  combine both the searches using a left join and get the list of servers details in both the index 

question how can i use two base searches in a single search 

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-05-2025 04:34 PM

Technically you could use both base searches, but it's a bit fiddly and isn't really going to save you anything as the searches have to run anyway. You would get the job ids of each base search and then in your panel search you would use loadjob to load each of the jobs.  However, you're still going to have to load the second job in some kind of subsearch (join?) so not sure where you're trying to go with this.

If you are simply trying to speed up a join search, you can't achieve this with two base searches, as you are simply not changing anything and it will take the time it takes.

The solution for a poor performing search using join is to remove the use of join and rewrite the search in another way.

Looking at your existing searches I'm not sure why you are trying to combine these in the first place, because you have appcode in your first search and you simply want appcode to get the list of details from the lookup.

You are doing a lookup in the primary search but doing nothing with the retrieved data. Why don't you just do the lookup in your primary search after the chart, i.e.

index=serverdata
  | rex "host_name=\"(?&lt;server_host_name&gt;[^\"]*)"
|chart dc(host_name) over appcode  by  host_environment
| eval TOTAL_servers=DEV+PAT+PROD
| table appcode DEV PAT PROD TOTAL_servers
| lookup servers_businessgroup_appcode.csv appcode  output Business_Group as New_Business_Group

 

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎02-05-2025 11:58 AM

Hi @secure as @gcusello stated you can have only one base search.

What would it mean to have 2 in a panel?  The base search just returns the results so how could you use 2 together?

I am not sure if this helps but you can have a base search use another base search.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-05-2025 08:03 AM

Hi @secure ,

in a dashboard it's possible to define more base searches, but in each panel, it's possible to use only one base search, not more.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top