All Apps and Add-ons

Dynamic Saved Search ($foo$ substitution)

xistencelol
Engager

Hi,

Is it at all possible to write a dynamic Saved Search such as:

<module name="HiddenSavedSearch>
<param name="savedSearch">$sourcetype$</param>
...

which grabs the $sourcetype$ token from a Pulldown module?

0 Karma
1 Solution

xistencelol
Engager

Ok, I've managed to find a hacky solution to this problem. To clarify, the original problem was not concerned with how to add variables/tokens into a saved search, but how to call a saved search using a token generated from a Pulldown module.

Now since we can't pass parameters into the savedSearch param of a HiddenSavedSearch module, you can instead use a Search module to call the saved job (with the included token):

<module name="Search">
 <param name="search"> | loadjob savedsearch="user:app:MySavedSearch"</param>
...
</module>

Where I would have something like:

| loadjob savedsearch="admin:search:$token$"

Note that this command will load the previously run job (if it exists) as opposed to starting a new job automatically (which the savedsearch command does).

The splunk documentation for loadjob can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob

View solution in original post

0 Karma

royimad
Builder

I have similar issue in here but i need to pass one parameter wich is host, please tell me how to call this using loadjob
| loadjob savesearch="admin:search:My Saved Search $host$"
Should i save my search with host string in the name or what?

0 Karma

xistencelol
Engager

Ok, I've managed to find a hacky solution to this problem. To clarify, the original problem was not concerned with how to add variables/tokens into a saved search, but how to call a saved search using a token generated from a Pulldown module.

Now since we can't pass parameters into the savedSearch param of a HiddenSavedSearch module, you can instead use a Search module to call the saved job (with the included token):

<module name="Search">
 <param name="search"> | loadjob savedsearch="user:app:MySavedSearch"</param>
...
</module>

Where I would have something like:

| loadjob savedsearch="admin:search:$token$"

Note that this command will load the previously run job (if it exists) as opposed to starting a new job automatically (which the savedsearch command does).

The splunk documentation for loadjob can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob

0 Karma

lguinn2
Legend

No - if you use the macro, you don't need loadjob at all. Just do

`mymacro($token$)`

instead.

0 Karma

royimad
Builder

Thanks, can i call macro from loadjob?
| loadjob savesearch="admin:search:my_macro($token$)"

0 Karma

lguinn2
Legend

Have you considered using a macro? Macros can have parameters.

So you could put the same thing into a macro that you put into the saved search. Add earliest=-24h@h to the macro content (or something similar) if you need to ensure time boundaries.

Then it might look like

<param name="search"> `macroname($token$)` </param>

to invoke the macro with the parameter

0 Karma

royimad
Builder

I have similar issue in here but i need to pass one parameter wich is host, please tell me how to call this using loadjob
| loadjob savesearch="admin:search:My Saved Search $host$"
Should i save my search with host string in the name or what?

0 Karma

pj
Contributor

I think there might be a limit on how much loadjob brings back in a dashboard.

This situation is less than ideal - why cant you pass a variable into a hiddensavedsearch? (i.e. is there a specific reason for this lack in functionality).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...