Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to run query returned from Rest?

SMM10
Explorer
‎05-13-2022 01:45 PM

I am working on something to return our alerts from rest functions. What I want to do is allow users to historically look at the alert query and see what adjustments can be made to certain items.

 

| rest "/servicesNS/-/-/saved/searches"
| search title="SomeAlert"
| fields qualifiedSearch

 

From the search above, I want Splunk to run the qualifiedfieldsearch; which is the search string. Is this something that is possible?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2022 12:11 AM

Try something like this

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$search$

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2022 12:11 AM

Try something like this

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$search$
Reply
Solved! Jump to solution

SMM10
Explorer
‎05-17-2022 10:31 AM

This worked perfect, thank you! As a follow up if I wanted to use this in a dashboard would I need to do anything to the token. It runs as  a search fine but in a dashboard it seems to be waiting for the query token to get set.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2022 11:23 AM

For dashboards, you have to double-dollar the variable names

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$$search$$
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-13-2022 10:00 PM

Hi @SMM10,

you should see the "sevedsearchcommand" (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch).

you could use your search in a panel and on click you could drilldown in another panel or dashboard executing the choosen search.

but the field to pass as parameter is "title" not "qualifiedSearch".

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

SMM10
Explorer
‎05-17-2022 10:59 AM

Thanks for the input! In this case I want to edit the search before running, so I don't want it to really run as is with an existing job result or even with the current query. I am using it as a historical analysis on alerts to review how they missed or how far off they were during an event that it doesn't capture.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...