Solved: Can i write a base search in another base search

renuka · ‎05-06-2021

<search id="base_query_filter">
<query>
Index=a,sourcetype=x,eval y=A+B</query>
</search>

<search id="base_query">
<query>
index=a,sourcetype=x,eval y=A+B -(here can i consider the base_query_filter base search)
join type =inner max=0(index=b,sourtype=y)</query>
<search>

Is it possible to consider one base search in another base search id?

Thank You in advance

Renuka

kamlesh_vaghela · ‎05-06-2021

@renuka

You can try something like this.

<search id="base_query_filter">
          <query>
            Index=a,sourcetype=x,eval y=A+B
        </query>
        </search>

        <search base="base_query_filter" id="base_query">
        <query>
        join type =inner max=0(index=b,sourtype=y)</query>
        </search>

View solution in original post

kamlesh_vaghela · ‎05-06-2021

@renuka

You can try something like this.

<search id="base_query_filter">
          <query>
            Index=a,sourcetype=x,eval y=A+B
        </query>
        </search>

        <search base="base_query_filter" id="base_query">
        <query>
        join type =inner max=0(index=b,sourtype=y)</query>
        </search>

renuka · ‎05-06-2021

@kamlesh_vaghela

Thank you so much

Can i write a base search in another base search

other

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability