Solved: Run saved search multiple times in same query?

stwong · ‎06-06-2017

Hi,

We used to append saved search results as following without problem:

| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | append [|savedsearch Test_VPN_log_stats  ]

However, when same saved search is used, e.g.

| savedsearch Test_VPN_log_stats| append [|savedsearch Test_VPN_log_stats  ]

We'll get error like this:

Error in 'SearchParser': Found circular dependency when expanding savedsearch=Test_VPN_log_stats

Would like to know if it's possible to:

append output of same saved query multiple times?
pass fields from the first saved search to the appending ones, e.g. IPAddr and UserName are 2 of the resulting field from saved search Test_RADIUS_report:

| savedsearch Test_RADIUS_report ipaddr="" username="Amuro" | append [|savedsearch Test_RADIUS_report ipaddr=$IPAddr username="" ] |append [| savedsearch Test_RADIUS_report ipaddr="*" username=$UserName ] | more append ....
Sorry that I've old school thinking and and hope savedsearch can be used as function call that can be called recursively.
Would anyone please help?

Thanks a lot.
Regards

woodcock · ‎06-06-2017

You might be able to use selfjoin (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Selfjoin) but better yet, try multireport (no docs on this yet), like this:

| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro"
| multireport
    [| stats count BY host]
    [| stats count BY sourcetype]
    [| stats count BY server]

Or multisearch, like this:

| multisearch
    [| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=1] 
    [| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=2] 
    [| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=3]
| stats count BY set

View solution in original post

woodcock · ‎06-06-2017

You might be able to use selfjoin (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Selfjoin) but better yet, try multireport (no docs on this yet), like this:

| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro"
| multireport
    [| stats count BY host]
    [| stats count BY sourcetype]
    [| stats count BY server]

Or multisearch, like this:

| multisearch
    [| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=1] 
    [| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=2] 
    [| savedsearch Test_RADIUS_SavedSearch ipaddr="*" bool="" username="Amuro" | eval set=3]
| stats count BY set

stwong · ‎06-07-2017

That's helpful. Thanks a lot.

Run saved search multiple times in same query?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!