Subsearch using loadjob not working

jamesvz84 · ‎07-09-2014

I try the following search:

| loadjob savedsearch="admin:app1:app1_view1" | fields hostname

This returns "hostname05" as a result.

I then try to embed this as a subsearch:

| loadjob savedsearch="admin:winapp:perfmon_results" | search object=Processor counter="% Processor Time" [| loadjob savedsearch="admin:app1:app1_view1" | fields hostname]

This return no results, however, if I do this:

   | loadjob savedsearch="admin:winapp:perfmon_results" | search object=Processor counter="% Processor Time" hostname="hostname05"

It returns many results. Why is the subsearch not working? Do I need to call loadjob differently? I've tried with and without the initial pipe.

sansay · ‎03-29-2016

Subsearch calling loadjob does not work. You get "Error in 'SearchOperator:loadjob': Cannot find artifacts for savedsearch_ident 'user:app:saved_search_name'.
Here is the query I used:
| loadjob savedsearch="user:app:saved_search_name_1" | append [| loadjob savedsearch="user:app:saved_search_name_2"]

somesoni2 · ‎07-09-2014

Try this.

| loadjob savedsearch="admin:winapp:perfmon_results" | search object=Processor counter="% Processor Time" [| loadjob savedsearch="admin:app1:app1_view1" | fields hostname | format "" "" "" "" "" ""]

Subsearch using loadjob not working

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM