I am unable to save it as a global, due to security.
My previous saved searches, which do work via Splunk ODBC, are saved as private within an app (not ES). The difference here seems to be that ES is somehow different from other apps. Which is also why the search is saved within ES, it is using lookups which exist within ES.
As to data models, not quite sure how to apply that. What we are trying to do is export the notable events, along with a log of what the analysts did regarding the notable events, out to an external tool for reporting. ES keeps a lot of info in its internal lookup tables, this search is combining many of those to create this output.
... View more