Splunk Search

search through saved searches with a wildcard? Show all results of searches with name ending with treshold

jan_wohlers
Path Finder

Hi Splunkeez,

for a dashboard we created about 50 savedsearches. 15 of the names are ending with treshold. They are pretty similar but having some minor differences. I want so run a search over all 15 savedsearches with the name ending with treshold and then want to check a value. Is this value - lets say 2 - I want it to be shown in the dashboad as a text.

Is it not possible to use a *-wildcard

|savedsearch *treshold .... 

Splunk now tries to search for a savedsearch with the exact name "*treshold". My intension was to run all searches with treshold in the name...

|savedsearch abc-treshold,123-treshold,avg-treshold,etc.

Is there a way to run this the way I want to?

/Jan

0 Karma

jonuwz
Influencer

You can get a list of your saved searches like this :

| rest /servicesNS/admin/search/saved/searches | search title="*threshold"

(you may need to swap out 'search' with the name of your app)

Then you can add

 | map maxsearches=20 search="| savedsearch \"$title$\" | eval savedsearch=\"$title$\" "

I added "savedsearch" as a field because you'll probably need it anyway, plus there has to be at least 1 common field across all the searches.

One thing to note, all the searches will be run across the same time range.

map is cool. if you run a search, by using map, you can run a subsearch with string replacement.

In the above example, the initial rest query returns the saved searches in a field called 'title'

The map command runs the search n times, replacing $title$ with the savedsearch name each time.

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!