Solved: How to use an existing saved search/report as a su...

TobiasBoone · ‎01-12-2017

I'd like to prevent code / search syntax duplication; but often times I want to use the results of a saved search to be used as the query for a bigger search. Is there a way to call an existing saved search as a subsearch without simply duplicating the entire main search? This would make it MUCH easier to maintain code and simplify viewing big complex searches. I envision something like:

index=network sourcetype=cisco [call existing report MalwareHits | rename ip as query | fields query]

I know the search part works, but I hate to actually duplicate the entire malwarehits report inline.

TobiasBoone · ‎01-12-2017

loadjob uses the last results of a scheduled/previously run job (in my case an ldap query) so it won't work, but the SeeAlso on the page you provided gave me |savedsearch

http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

which is exactly what I needed! Thank you!

View solution in original post

cmerriman · ‎01-12-2017

there is actually a savedsearch command that you can use in a subsearch.

https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

TobiasBoone · ‎01-12-2017

loadjob uses the last results of a scheduled/previously run job (in my case an ldap query) so it won't work, but the SeeAlso on the page you provided gave me |savedsearch

http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Savedsearch

which is exactly what I needed! Thank you!

twinspop · ‎01-12-2017

loadjob

https://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Loadjob

How to use an existing saved search/report as a subsearch?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases