Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Run saved search multiple times in same query?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We used to append saved search results as following without problem:
| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | append [|savedsearch Test_VPN_log_stats ]
However, when same saved search is used, e.g.
| savedsearch Test_VPN_log_stats| append [|savedsearch Test_VPN_log_stats ]
We'll get error like this:
Error in 'SearchParser': Found circular dependency when expanding savedsearch=Test_VPN_log_stats
Would like to know if it's possible to:
- append output of same saved query multiple times?
pass fields from the first saved search to the appending ones, e.g. IPAddr and UserName are 2 of the resulting field from saved search Test_RADIUS_report:
| savedsearch Test_RADIUS_report ipaddr="" username="Amuro" | append [|savedsearch Test_RADIUS_report ipaddr=$IPAddr username="" ] |append [| savedsearch Test_RADIUS_report ipaddr="*" username=$UserName ] | more append ....
Sorry that I've old school thinking and and hope savedsearch can be used as function call that can be called recursively.
Would anyone please help?
Thanks a lot.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might be able to use selfjoin (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Selfjoin) but better yet, try multireport (no docs on this yet), like this:
| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro"
| multireport
[| stats count BY host]
[| stats count BY sourcetype]
[| stats count BY server]
Or multisearch, like this:
| multisearch
[| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=1]
[| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=2]
[| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=3]
| stats count BY set
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might be able to use selfjoin (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Selfjoin) but better yet, try multireport (no docs on this yet), like this:
| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro"
| multireport
[| stats count BY host]
[| stats count BY sourcetype]
[| stats count BY server]
Or multisearch, like this:
| multisearch
[| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=1]
[| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=2]
[| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=3]
| stats count BY set
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's helpful. Thanks a lot.
Splunk Answers Content Calendar, July Edition I
Secure Your Future: Mastering Upgrade Readiness for Splunk 10
Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM
