topic Re: Dynamically rewrite SPL query in Splunk Dev

Dynamically rewrite SPL query

eldarg — Fri, 23 May 2025 16:45:59 GMT

Hi, I'm trying to rewrite a given query and then execute it.

I need to do some complex lookups which can't be done with a regular macro then I thought about having a python command that will fetch the query and reconstruct it.

The issue I'm having is how to execute the new query?

I've tried with the SDK but the run time is much higher + the results return to the statistics page.

I've tried to inject the query into a field and then use map but it also wasn't successful.

Any idea that works? Maybe something I didn't try or whether if you know that one of that methods should work.

Thanks.

Re: Dynamically rewrite SPL query

ITWhisperer — Fri, 23 May 2025 23:19:39 GMT

You can do something along these lines in a SimpleXML dashboard by creating a search which generates the query you want to run and save the result to a token, and then have another panel which uses that token as its search query.

Re: Dynamically rewrite SPL query

eldarg — Sat, 24 May 2025 06:52:30 GMT

Thanks!

So dashboard is indeed a good solution.

But I’m looking for a solution that will also work on the search itself.

Re: Dynamically rewrite SPL query

isoutamo — Sat, 24 May 2025 10:32:20 GMT

What is an issue which you try to solve? Just a issue not how you have planned to solve it!

Re: Dynamically rewrite SPL query

PickleRick — Sat, 24 May 2025 19:35:32 GMT

+1 on @isoutamo 's question. The underlying problem is what's important. Because sometimes you can simply use a subsearch to render it to a set of search conditions but sometimes it isn't enough and really the only reliable way to dynamically construct and run a search is the map command. Creating the whole search with a subsearch (especially if you wanted to return a multi-staged SPL or a search starting with a command other than search) generally doesn't work.