Use repetitive query in a subsearch

andrewpagans · ‎01-20-2020

Hello All,
I would like to reuse repetitive query in a sub-search.
Could you please help me to retrieve the base query in the sub-search?

Here an example of what I would like to do:

<dashboard>
   <label>Test base query in a subsearch</label>
   <search id="subsearch_results">
     <query>index=_internal | table host,sourcetype</query>
     <earliest>-24h@h</earliest>
     <latest>now</latest>
   </search>
   <row>
     <panel>
       <event>
         <search>
           <query>index=_audit 
                         | join type=left host [| $subsearch_results$]
           </query>
           <earliest>-24h@h</earliest>
           <latest>now</latest>
           <sampleRatio>1</sampleRatio>
         </search>
         <option name="list.drilldown">none</option>
       </event>
     </panel>
   </row>
 </dashboard>

Thanks !

gcusello · ‎01-20-2020

Hi @andrewpagans,
it isn't possible to use a base search in a subquery.
Sometimes (e.g. in an example like the one you posted) you could reverse the searches:

 <dashboard>
    <label>Test base query in a subsearch</label>
    <search id="audit_results">
      <query>index=_audit </query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
    <row>
      <panel>
        <event>
          <search base="audit_results">
            <query>| join type=right host [| index=_internal ]
            </query>
            <earliest>-24h@h</earliest>
            <latest>now</latest>
            <sampleRatio>1</sampleRatio>
          </search>
          <option name="list.drilldown">none</option>
        </event>
      </panel>
    </row>
  </dashboard>

Ciao.
Giuseppe

Use repetitive query in a subsearch

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!