Dashboards & Visualizations

Run and append multiple savedsearches... AND pass tokens?

nick405060
Motivator

I'd like to run and append the results of multiple savedsearches into one aggregate report so that I can do analytics on the aggregate results. How can I do this?

Use case: have a user click submit in a dashboard, and then later receive an email with an aggregate user activity report on sessions, compiled from exchange, VPN, wineventlog, badge, duo, and other savedsearches. Inlining is not desired, and tokens are passed all the way from the dashboard to the savedsearches.

I can implement the use case but can't figure out how to make the report that is sent be aggregated from other savedsearches. You can append multiple jobs in a dashboard using

append [| loadjob "$job_sid_token1$"] | append [| loadjob "$job_sid_token2$"]

but I am not sure how to do it in a report. You can't

| append [| savedsearch ...] | append [| savedsearch ...]

since you can't pass tokens to an append... is there some way I can append multiple maps something like the following?

| map maxsearches=10000 search="| savedsearch REPORT1 passed_token=$passed_token$" | map maxsearches=10000 search="| savedsearch REPORT2 passed_token=$passed_token$"

... because that would solve my problem; you can use the savedsearch command in a map AND pass tokens.

0 Karma
1 Solution

nick405060
Motivator

Took me a while but @Yorokobi's answer in Slack usergroups ended up working:

In the aggregate report:

multireport [| savedsearch REPORT1 my_token="$my_token$"] [| savedsearch REPORT2 my_token="$my_token$"] [| savedsearch REPORT3 my_token="$my_token$"]

What tripped me up is that you have to be very careful when you have quotes around the tokens or not. My working solution has quotes around the tokens in the dashboard, in the aggregate report, and in the savedsearches

View solution in original post

0 Karma

nick405060
Motivator

Took me a while but @Yorokobi's answer in Slack usergroups ended up working:

In the aggregate report:

multireport [| savedsearch REPORT1 my_token="$my_token$"] [| savedsearch REPORT2 my_token="$my_token$"] [| savedsearch REPORT3 my_token="$my_token$"]

What tripped me up is that you have to be very careful when you have quotes around the tokens or not. My working solution has quotes around the tokens in the dashboard, in the aggregate report, and in the savedsearches

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...