Solved: Re: Dynamic Saved Search ($foo$ substitution)

xistencelol · ‎01-30-2012

Hi,

Is it at all possible to write a dynamic Saved Search such as:

<module name="HiddenSavedSearch> <param name="savedSearch">$sourcetype$</param> ...

which grabs the $sourcetype$ token from a Pulldown module?

xistencelol · ‎01-31-2012

Ok, I've managed to find a hacky solution to this problem. To clarify, the original problem was not concerned with how to add variables/tokens into a saved search, but how to call a saved search using a token generated from a Pulldown module.

Now since we can't pass parameters into the savedSearch param of a HiddenSavedSearch module, you can instead use a Search module to call the saved job (with the included token):

<module name="Search">
 <param name="search"> | loadjob savedsearch="user:app:MySavedSearch"</param>
...
</module>

Where I would have something like:

| loadjob savedsearch="admin:search:$token$"

Note that this command will load the previously run job (if it exists) as opposed to starting a new job automatically (which the savedsearch command does).

The splunk documentation for loadjob can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob

View solution in original post

royimad · ‎02-25-2013

I have similar issue in here but i need to pass one parameter wich is host, please tell me how to call this using loadjob
| loadjob savesearch="admin:search:My Saved Search $host$"
Should i save my search with host string in the name or what?

xistencelol · ‎01-31-2012

Ok, I've managed to find a hacky solution to this problem. To clarify, the original problem was not concerned with how to add variables/tokens into a saved search, but how to call a saved search using a token generated from a Pulldown module.

Now since we can't pass parameters into the savedSearch param of a HiddenSavedSearch module, you can instead use a Search module to call the saved job (with the included token):

<module name="Search">
 <param name="search"> | loadjob savedsearch="user:app:MySavedSearch"</param>
...
</module>

Where I would have something like:

| loadjob savedsearch="admin:search:$token$"

Note that this command will load the previously run job (if it exists) as opposed to starting a new job automatically (which the savedsearch command does).

The splunk documentation for loadjob can be found here:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Loadjob

lguinn2 · ‎02-25-2013

No - if you use the macro, you don't need loadjob at all. Just do

`mymacro($token$)`

instead.

royimad · ‎02-25-2013

Thanks, can i call macro from loadjob?
| loadjob savesearch="admin:search:my_macro($token$)"

lguinn2 · ‎02-25-2013

Have you considered using a macro? Macros can have parameters.

So you could put the same thing into a macro that you put into the saved search. Add earliest=-24h@h to the macro content (or something similar) if you need to ensure time boundaries.

Then it might look like

<param name="search"> `macroname($token$)` </param>

to invoke the macro with the parameter

royimad · ‎02-25-2013

I have similar issue in here but i need to pass one parameter wich is host, please tell me how to call this using loadjob
| loadjob savesearch="admin:search:My Saved Search $host$"
Should i save my search with host string in the name or what?

pj · ‎02-29-2012

I think there might be a limit on how much loadjob brings back in a dashboard.

This situation is less than ideal - why cant you pass a variable into a hiddensavedsearch? (i.e. is there a specific reason for this lack in functionality).

Dynamic Saved Search ($foo$ substitution)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases