Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

searching subset of original search

ChrisCLewis
Communicator
‎12-11-2018 05:46 AM

Good afternoon,

I am trying to find a way to carry out a search to find a subset of data and to then carry out more than one search on these subsets, without saving any of the data (i.e. not allowed to use lookup)

Each time stats are created for the subset I will need to then do another search on the subset to get a sub-sub set of data to generate stats for.

I can get it working by using append and running the original search, including additional criteria but this makes the searches very slow and prone to timing out.

The stats are not the same for each sub-search.

Appendcols / appendpipe / join do not seem to be working when just adding the extra search requirements.

I'd like to have 2 or 3 dashboards which have all the sub data calculated rather than having to do 20+ individual searches (scheduled reports are not an option either) - Or am I asking too much of splunk 😉

Many thanks for your time

0 Karma
Reply

somesoni2
Revered Legend
‎12-11-2018 08:18 AM

Since you plan to create a dashboard, have you looked at Post Process searches in Splunk?

http://docs.splunk.com/Documentation/Splunk/7.2.1/Viz/Savedsearches#Post-process_searches_2

This concept provides you a way to run one base search and power other "subsearches" from result of base search. So you would have to find a way to merge your existing searches, preferably till stats, which will allow you to add filters at post-process subsearches.

It would help if you can share some sample searches that you want to power off from single search (mask anything that's sensitive).

0 Karma
Reply

ktugwell_splunk
Splunk Employee
Splunk Employee
‎12-11-2018 06:54 AM

Have you thought about chaining searches together using a base search in a dashboard, outputting the sid of that search to a token, then using the | loadjob <sid> command to load the results, then you can perform more stats?

0 Karma
Reply

ChrisCLewis
Communicator
‎12-11-2018 07:04 AM

Good afternoon,

Many thanks for the speedy reply. I've not seen this before - I shall go and do some looking into as it looks good..

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...