Splunk Search

search through saved searches with a wildcard? Show all results of searches with name ending with treshold

jan_wohlers
Path Finder

Hi Splunkeez,

for a dashboard we created about 50 savedsearches. 15 of the names are ending with treshold. They are pretty similar but having some minor differences. I want so run a search over all 15 savedsearches with the name ending with treshold and then want to check a value. Is this value - lets say 2 - I want it to be shown in the dashboad as a text.

Is it not possible to use a *-wildcard

|savedsearch *treshold .... 

Splunk now tries to search for a savedsearch with the exact name "*treshold". My intension was to run all searches with treshold in the name...

|savedsearch abc-treshold,123-treshold,avg-treshold,etc.

Is there a way to run this the way I want to?

/Jan

0 Karma

jonuwz
Influencer

You can get a list of your saved searches like this :

| rest /servicesNS/admin/search/saved/searches | search title="*threshold"

(you may need to swap out 'search' with the name of your app)

Then you can add

 | map maxsearches=20 search="| savedsearch \"$title$\" | eval savedsearch=\"$title$\" "

I added "savedsearch" as a field because you'll probably need it anyway, plus there has to be at least 1 common field across all the searches.

One thing to note, all the searches will be run across the same time range.

map is cool. if you run a search, by using map, you can run a subsearch with string replacement.

In the above example, the initial rest query returns the saved searches in a field called 'title'

The map command runs the search n times, replacing $title$ with the savedsearch name each time.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...