Splunk Search

search through saved searches with a wildcard? Show all results of searches with name ending with treshold

jan_wohlers
Path Finder

Hi Splunkeez,

for a dashboard we created about 50 savedsearches. 15 of the names are ending with treshold. They are pretty similar but having some minor differences. I want so run a search over all 15 savedsearches with the name ending with treshold and then want to check a value. Is this value - lets say 2 - I want it to be shown in the dashboad as a text.

Is it not possible to use a *-wildcard

|savedsearch *treshold .... 

Splunk now tries to search for a savedsearch with the exact name "*treshold". My intension was to run all searches with treshold in the name...

|savedsearch abc-treshold,123-treshold,avg-treshold,etc.

Is there a way to run this the way I want to?

/Jan

0 Karma

jonuwz
Influencer

You can get a list of your saved searches like this :

| rest /servicesNS/admin/search/saved/searches | search title="*threshold"

(you may need to swap out 'search' with the name of your app)

Then you can add

 | map maxsearches=20 search="| savedsearch \"$title$\" | eval savedsearch=\"$title$\" "

I added "savedsearch" as a field because you'll probably need it anyway, plus there has to be at least 1 common field across all the searches.

One thing to note, all the searches will be run across the same time range.

map is cool. if you run a search, by using map, you can run a subsearch with string replacement.

In the above example, the initial rest query returns the saved searches in a field called 'title'

The map command runs the search n times, replacing $title$ with the savedsearch name each time.

Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...