Hi,
Is it at all possible to write a dynamic Saved Search such as:
<module name="HiddenSavedSearch>
<param name="savedSearch">$sourcetype$</param>
...
which grabs the $sourcetype$ token from a Pulldown module?
Ok, I've managed to find a hacky solution to this problem. To clarify, the original problem was not concerned with how to add variables/tokens into a saved search, but how to call a saved search using a token generated from a Pulldown module.
Now since we can't pass parameters into the savedSearch param of a HiddenSavedSearch module, you can instead use a Search module to call the saved job (with the included token):
<module name="Search">
<param name="search"> | loadjob savedsearch="user:app:MySavedSearch"</param>
...
</module>
Where I would have something like:
| loadjob savedsearch="admin:search:$token$"
Note that this command will load the previously run job (if it exists) as opposed to starting a new job automatically (which the savedsearch command does).
The splunk documentation for loadjob can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob
I have similar issue in here but i need to pass one parameter wich is host, please tell me how to call this using loadjob
| loadjob savesearch="admin:search:My Saved Search $host$"
Should i save my search with host string in the name or what?
Ok, I've managed to find a hacky solution to this problem. To clarify, the original problem was not concerned with how to add variables/tokens into a saved search, but how to call a saved search using a token generated from a Pulldown module.
Now since we can't pass parameters into the savedSearch param of a HiddenSavedSearch module, you can instead use a Search module to call the saved job (with the included token):
<module name="Search">
<param name="search"> | loadjob savedsearch="user:app:MySavedSearch"</param>
...
</module>
Where I would have something like:
| loadjob savedsearch="admin:search:$token$"
Note that this command will load the previously run job (if it exists) as opposed to starting a new job automatically (which the savedsearch command does).
The splunk documentation for loadjob can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob
No - if you use the macro, you don't need loadjob
at all. Just do
`mymacro($token$)`
instead.
Thanks, can i call macro from loadjob?
| loadjob savesearch="admin:search:my_macro($token$)
"
Have you considered using a macro? Macros can have parameters.
So you could put the same thing into a macro that you put into the saved search. Add earliest=-24h@h
to the macro content (or something similar) if you need to ensure time boundaries.
Then it might look like
<param name="search"> `macroname($token$)` </param>
to invoke the macro with the parameter
I have similar issue in here but i need to pass one parameter wich is host, please tell me how to call this using loadjob
| loadjob savesearch="admin:search:My Saved Search $host$"
Should i save my search with host string in the name or what?
I think there might be a limit on how much loadjob brings back in a dashboard.
This situation is less than ideal - why cant you pass a variable into a hiddensavedsearch? (i.e. is there a specific reason for this lack in functionality).