Hi,
I am looking to get argument for savedsearch from csv.
| savedsearch MYSAVEDSERACH host=(from csv) threshold=(from csv)
Thanks
Hi
You could try using the map command
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Map
Here is an example
So first you define your SavedSearch with replacement placeholder terms (anything you want to replace gets enclosed inside $...$):
...
| eval host="$host_passed$"
| eval threshold="$threshold_passed$"
...
You save this search as a Report so you can use it then later with the savedsearch command. Lets call this SavedSearch MYSAVEDSEARCH.
Then you can use this in a search query as below:
| inputlookup hosts_and_thresholds.csv
| rename host as host_passed threshold as threshold_passed
| map MYSAVEDSEARCH
The fields to be replaced should have the same name as the ones defined in the SavedSearch.
Hope it helps.
Hi
You could try using the map command
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Map
Here is an example
So first you define your SavedSearch with replacement placeholder terms (anything you want to replace gets enclosed inside $...$):
...
| eval host="$host_passed$"
| eval threshold="$threshold_passed$"
...
You save this search as a Report so you can use it then later with the savedsearch command. Lets call this SavedSearch MYSAVEDSEARCH.
Then you can use this in a search query as below:
| inputlookup hosts_and_thresholds.csv
| rename host as host_passed threshold as threshold_passed
| map MYSAVEDSEARCH
The fields to be replaced should have the same name as the ones defined in the SavedSearch.
Hope it helps.
Also you could try this:
| inputlookup hosts_and_thresholds.csv
| map search="| savedsearch MYSAVEDSEARCH host_passed=$host$ threshold_passed=$threshold$"