topic Re: Dynamic Splunk Queries in Dashboards & Visualizations

Dynamic Splunk Queries

triest — Mon, 28 Sep 2020 15:51:28 GMT

Is there a way to run a search command and have it return the text of a query to run?

Is there a way to get it to execute the query stored in foo above?

The actual use case is I've written queries that are fairly complex and I'd like to create macro's to use as templates. I wrote queries that generate the query text out of laziness and I would love to turn them into macros that would "just do the right thing".

It should be possible using the rest interface, but I'm hoping to avoid that.

Re: Dynamic Splunk Queries

MuS — Tue, 11 Feb 2014 07:16:36 GMT

Hi triest,

If I understand it correct you want to search for the result of another search? It so, you can use a subsearch like this:

YourMasterSearch [ search gentimes start=-1 | eval foo="index=main | head 10 | table src_ip dest_ip" | fields foo | table foo ]

First, this will run the search in [] and the results will be used in YourMasterSearch.

Hope this helps ...

cheers, MuS

Re: Dynamic Splunk Queries

triest — Mon, 28 Sep 2020 15:51:39 GMT

I don't want to search the results of another search, I want to use a query to create a query.

If you look at the above example, I set foo="index=main | head 10 | table src_ip dest_ip", I then when to execute the query index=main | head 10 | table src_ip dest_ip. I would be more then happy to add the implicit search command to the beginning.

I'm aware of sub-searches and have used them, but at least when ran as you listed above, I haven't been able to get them to do this.

Re: Dynamic Splunk Queries

MuS — Tue, 11 Feb 2014 12:04:55 GMT

Well sorry in this case, I got you wrong. And my example will not work because of this eval foo which will not work. I use some macros but more the other way round. The macro contains the main search and I pass values to it like myMacro(foo) where myMacro is some search and foo is used in this search.

Re: Dynamic Splunk Queries

somesoni2 — Tue, 11 Feb 2014 14:36:05 GMT

I am not sure its possible without REST APIs. One of the closest solution I figured (but sadly it didn't work)(subsearch or macro search).

[search * | head 1 | eval search="Your query here"| table search | format]

The only problem that I got was that the value will come as "Your query here" which doesn't work if there is a space there.

Re: Dynamic Splunk Queries

triest — Tue, 11 Feb 2014 16:21:57 GMT

Tonight I'll look into how to do it with the rest API's then; if some one beats me to it with a solution, I wouldn't complain 🙂

Re: Dynamic Splunk Queries

martin_mueller — Tue, 11 Feb 2014 20:37:10 GMT

Your best chance to achieve this without diving into APIs probably would have been the map command:

| stats count | eval mysearchstring="search earliest=-2h@h latest=@h index=_internal log_level=ERROR) | timechart count by sourcetype" | map search="$mysearchstring$"

However, that wraps the generated query in quotes and escapes quotes within the query, so you can't break out of that.

Re: Dynamic Splunk Queries

Lowell — Thu, 28 Jan 2016 22:20:36 GMT

So just found this question, and was surprised to see that this almost works:

[ | stats count | eval s="index=main | head 1" | return $s ]

It's totally wacky to mean that Splunk lets you pass a "|" to the search and execute it like this. I said "almost worked" because I end up with 3 results, which it turns out is because the environment I tested it on had 3 indexers. Changed it to "head 5" and got back 15 results.

Interesting. Tested on a 6.2.6 environment.

Re: Dynamic Splunk Queries

MuS — Thu, 28 Jan 2016 22:34:08 GMT

Nice! forgot about this one and can add another solution which is working:

[ | gentimes start=-1 | eval foo="index=_internal | head 10 " | fields foo | rename foo -> search ]

rund this litsearch in the end:

litsearch index=_internal | head 10 | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"

Re: Dynamic Splunk Queries

theeansible — Fri, 22 Sep 2017 16:18:37 GMT

@triest did you ever get it to work ? 2017 still having this problem 😕