Solved: Kicking different searches

yuwtennis · ‎10-27-2013

Hi!

I want to ask question if something like below can be implemented.

I have created 4 searches.

search A : creates a CSV file with outputcsv
search B : creates a CSV file using the csv from search A
search C : creates a CSV file using the csv from search A
search D : creates a CSV file using the csv from search A

So the call flow would be like,

search A -> search B
-> search C
-> search D

search B - D has to be called the in the stream of search A.

Is this possible?

Thanks,
Yu

Ayn · ‎10-27-2013

You can use the fact that subsearches are run before the main search, so first of all run search A in a subsearch so that the CSV file exists, then use it in all your other searches.

searchB [search searchA | outputcsv ... | return ""] | outputcsv ... | append [search searchC | outputcsv ... ] | append [search searchD | outputcsv ... ]

View solution in original post

Ayn · ‎10-27-2013

You can use the fact that subsearches are run before the main search, so first of all run search A in a subsearch so that the CSV file exists, then use it in all your other searches.

searchB [search searchA | outputcsv ... | return ""] | outputcsv ... | append [search searchC | outputcsv ... ] | append [search searchD | outputcsv ... ]

yuwtennis · ‎10-27-2013

Hello Ayn.

This looks nice. I will take a look at it.

Thanks,
Yu

Kicking different searches

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...