savedsearch internal parameter

damucka · ‎08-03-2019

I have quite a complicated search that I shifted into the savedsearch.
In this savedsearch I have some parameters, let us say $param1 - but these are "internal" parameters of the savedsearch, not the ones passed from the outside to it.

Now, when I call my savedsearch from another search, I get of course an error that the $param1 is not passed during the call.

How would I overcome this?

Kind Regards,
Kamil

arjunpkishore5 · ‎08-03-2019

Could you paste an example.

I'm not really sure of the problem you're facing. One way to differentiate between different levels of parameters is by using $$param$$ instead of $param$.

damucka · ‎08-03-2019

Okay, I execute the following search:

|makeresults | eval trigger=0|eval decision=if(trigger==1,[|savedsearch rtedump_trigger_on_BWP_hosts|eval t=sourcetype|return $t],0)

and my savedsearch rtedump_trigger_on_BWP_hosts looks as follows:

| makeresults

 |rename comment AS " *********************************** Set the list of hosts ***********************************************  "
 | eval master1 ="ls5920", 
        slave11 ="ls5921", 
        slave12 ="ls5922",
        slave13 ="ls5923", 
        slave14 ="ls5924",      
        master2 ="ls5925", 
        slave21 ="ls5926", 
        slave22 ="ls5927",
        slave23 ="ls5928", 
        slave24 ="ls5929"        
 | table [|makeresults |  eval search ="master1 slave11 slave12 slave13 slave14 master2 slave21 slave22 slave23 slave24" | table search ] 
 | transpose 
 | rename "row 1" AS host_to_trigger 
 | table host_to_trigger



 |rename comment AS " *********************************** Start rtedump triggering  *********************************************  "

 | eval triggertime = strftime(now(),"%H:%M")
 | table host_to_trigger triggertime   

 | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump -f /usr/sap/BWP/HDB02/$$host_to_trigger$$/trace/DB_BWP/iAlerting_rtedump_ANOMALY_$$triggertime$$.trc','$$host_to_trigger$$:30240',?)\" connection=\"HANA_MLBSO_BWP\" "

 |rename comment AS " *********************************** End rtedump triggering  ************************************************  "

So, as you see I added the additional $ around the savedsearch parameters. These are set in the savedsearch itself and I do not want to pass them from the first search.
... Unfortunately now the result is, that the savedsearch gets executed, so the additional $ did the trick, ... but it should not, because the trigger is set to 0 with the first eval. Also I am getting the error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'.

Somehow I do not understand it. Why the savedsearch gets executed at all?
And why the error?

arjunpkishore5 · ‎08-04-2019

The saved_search is getting executed regardless. I'm guessing you do not want the saved_search to execute if trigger is set to 1. For that, pass a variable to the saved search similar to this

arjunpkishore5 · ‎08-04-2019

In your saved search

`
|makeresults
|where 1==$trigger$

`

damucka · ‎08-04-2019

Unfortunately not.
The savedsearch still gets executed, despite of the where statement at the beginning. Isnt the where only for the result filtering?
Additionally I am getting the error now:

Error in 'map': Did not find value for required attribute 'host_to_trigger'.

Kind Regards,
Kamil

savedsearch internal parameter

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk