Dashboards & Visualizations

Dynamic Splunk Queries

triest
Communicator

Is there a way to run a search command and have it return the text of a query to run?

E.g. [ | gentimes start=-1 | eval foo="index=main | head 10 | table src_ip dest_ip" | fields foo | table foo ]

Is there a way to get it to execute the query stored in foo above?

The actual use case is I've written queries that are fairly complex and I'd like to create macro's to use as templates. I wrote queries that generate the query text out of laziness and I would love to turn them into macros that would "just do the right thing".

It should be possible using the rest interface, but I'm hoping to avoid that.

Tags (1)

Lowell
Super Champion

So just found this question, and was surprised to see that this almost works:

[ | stats count | eval s="index=main | head 1" | return $s ]

It's totally wacky to mean that Splunk lets you pass a "|" to the search and execute it like this. I said "almost worked" because I end up with 3 results, which it turns out is because the environment I tested it on had 3 indexers. Changed it to "head 5" and got back 15 results.

Interesting. Tested on a 6.2.6 environment.

MuS
SplunkTrust
SplunkTrust

Nice! forgot about this one and can add another solution which is working:

[ | gentimes start=-1 | eval foo="index=_internal | head 10 " | fields foo | rename foo -> search ]

rund this litsearch in the end:

litsearch index=_internal | head 10 | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Your best chance to achieve this without diving into APIs probably would have been the map command:

| stats count | eval mysearchstring="search earliest=-2h@h latest=@h index=_internal log_level=ERROR) | timechart count by sourcetype" | map search="$mysearchstring$"

However, that wraps the generated query in quotes and escapes quotes within the query, so you can't break out of that.

0 Karma

theeansible
Path Finder

@triest did you ever get it to work ? 2017 still having this problem 😕

0 Karma

triest
Communicator

Tonight I'll look into how to do it with the rest API's then; if some one beats me to it with a solution, I wouldn't complain 🙂

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I am not sure its possible without REST APIs. One of the closest solution I figured (but sadly it didn't work)(subsearch or macro search).

[search * | head 1 | eval search="Your query here"| table search | format]

The only problem that I got was that the value will come as "Your query here" which doesn't work if there is a space there.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi triest,

If I understand it correct you want to search for the result of another search? It so, you can use a subsearch like this:

YourMasterSearch [ search gentimes start=-1 | eval foo="index=main | head 10 | table src_ip dest_ip" | fields foo | table foo ]

First, this will run the search in [] and the results will be used in YourMasterSearch.

Hope this helps ...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Well sorry in this case, I got you wrong. And my example will not work because of this eval foo which will not work. I use some macros but more the other way round. The macro contains the main search and I pass values to it like myMacro(foo) where myMacro is some search and foo is used in this search.

0 Karma

triest
Communicator

I don't want to search the results of another search, I want to use a query to create a query.

If you look at the above example, I set foo="index=main | head 10 | table src_ip dest_ip", I then when to execute the query index=main | head 10 | table src_ip dest_ip. I would be more then happy to add the implicit search command to the beginning.

I'm aware of sub-searches and have used them, but at least when ran as you listed above, I haven't been able to get them to do this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...