Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to use saved search RESULTS as a subsearch?

dspracklen
Path Finder
‎10-26-2012 09:56 AM

My problem with this is that the saved search takes longer than 60 seconds to run, so I only get partial answers if I try to run it as a subsearch. (it times out)

What is key about my question are the words 'saved search results'. I have created a saved search and set up another search to use it as a subsearch. The problem I encounter is that when used as a subsearch, the results are ignored and the saved search is run fresh. The saved search takes longer than 60 seconds to run, so I only get partial answers when it runs 'live' in a subsearch.

What I need is the ability to retrieve results from a saved search and use those as a subsearch so that I don't time out.

This is an abbreviated example of what I'm doing now. This just runs the saved search fresh for the subsearch instead of pulling the saved results.

sourcetype=Data_Input_File [savedsearch timeless_base_search] | ... etc ... | table IPAddress MACAddress

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎10-26-2012 10:56 AM

Have you tried it with a pipe as the first character after the leading [ of the subsearch (e.g. [ | savedsearch timeless_base_search ]). If that still doesn't work for you, consider loadjob. An example might look like | loadjob savedsearch="admin:search:timeless_base_search"

Another thing you could consider is to constrain the runtime of the subsearch, even if you want a different search scope for the outer search. This can be done using the "earliest" and "latest" keywords in your subsearch.

View solution in original post

Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎10-26-2012 10:56 AM

Have you tried it with a pipe as the first character after the leading [ of the subsearch (e.g. [ | savedsearch timeless_base_search ]). If that still doesn't work for you, consider loadjob. An example might look like | loadjob savedsearch="admin:search:timeless_base_search"

Another thing you could consider is to constrain the runtime of the subsearch, even if you want a different search scope for the outer search. This can be done using the "earliest" and "latest" keywords in your subsearch.

Reply
Solved! Jump to solution

dspracklen
Path Finder
‎10-26-2012 11:59 AM

Excellent! The 'loadjob' advice worked like a charm. The pipe didn't solve this problem, but now with the other advice it all works as I'd hoped.

Thanks much!

0 Karma
Reply
Solved! Jump to solution

dspracklen
Path Finder
‎10-26-2012 11:20 AM

I will give those first two options a try. It was also suggested to me that I have the internal saved search output to a lookup table and import THAT as the subsearch, effectively. (egads, trying to describe some of this clearly is difficulty)

As for the time constraints, that's not something I can change. That's why it's 'timeless' in this instance. I don't need to run it often, but I do need a full answer.

Thanks much for the comment. I'll let you know how those suggestions work.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...