Hello everyone,
I'm very new to splunk and I find it very different than what I have worked so far. I am writing saved searches, where I am passing arguments to the search. I'm looking for a solution how would I be able to pass arguments to a search, that default to a value if the parameter was not given.
Something like this:
[My Search]
search = | savedsearch "Sample Search" \
argument1=$argument1$ \
argument2=$argument2$ \
argument3=if(isnull($argument3$), default_value, $argument3$)
Any advice?
Thanks,
You could define multiple macros that call your savedsearch. Each macro would have a the same name, but a different number of arguments and would call the savedsearch with the appropriate default value.
As added comment, I only want to have 1 search defined, that is multi purpose based on the number of arguments it receives. (minimal code redundancy)