Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to pass argument to saved search via csv ?

AKG1_old1
Builder
‎07-18-2019 02:44 AM

Hi,

I am looking to get argument for savedsearch from csv. 

| savedsearch MYSAVEDSERACH  host=(from csv) threshold=(from csv)

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jaime_ramirez
Communicator
‎07-18-2019 04:28 AM

Hi

You could try using the map command
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Map

Here is an example

So first you define your SavedSearch with replacement placeholder terms (anything you want to replace gets enclosed inside $...$):

...
| eval host="$host_passed$"
| eval threshold="$threshold_passed$"
...

You save this search as a Report so you can use it then later with the savedsearch command. Lets call this SavedSearch MYSAVEDSEARCH.

Then you can use this in a search query as below:

| inputlookup hosts_and_thresholds.csv
| rename host as host_passed threshold as threshold_passed
| map MYSAVEDSEARCH

The fields to be replaced should have the same name as the ones defined in the SavedSearch.

Hope it helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jaime_ramirez
Communicator
‎07-18-2019 04:28 AM

Hi

You could try using the map command
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Map

Here is an example

So first you define your SavedSearch with replacement placeholder terms (anything you want to replace gets enclosed inside $...$):

...
| eval host="$host_passed$"
| eval threshold="$threshold_passed$"
...

You save this search as a Report so you can use it then later with the savedsearch command. Lets call this SavedSearch MYSAVEDSEARCH.

Then you can use this in a search query as below:

| inputlookup hosts_and_thresholds.csv
| rename host as host_passed threshold as threshold_passed
| map MYSAVEDSEARCH

The fields to be replaced should have the same name as the ones defined in the SavedSearch.

Hope it helps.

0 Karma
Reply
Solved! Jump to solution

jaime_ramirez
Communicator
‎07-18-2019 05:50 AM

Also you could try this:

| inputlookup hosts_and_thresholds.csv
| map search="| savedsearch MYSAVEDSEARCH host_passed=$host$ threshold_passed=$threshold$"
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...