topic Re: Retrieve comments from savedsearches.conf via Splunk GUI in Reporting

Retrieve comments from savedsearches.conf via Splunk GUI

ramgnisiv — Mon, 01 Apr 2019 06:02:10 GMT

We are adding comments to each search in our apps savedsearches.conf to keep our technical documentation for all saved searches as in-line as possible.

We are using Splunk native comment macro for adding comments in-line.

Inside the 'comment' tag this is done using JSON format:

`comment("{"type":"xxx","title":"yyy","id":"123","dataSource":"zzz","dataSourceTechName":"sss","dataSourceGuiName":"ttt","scheduleFrequency":"1d"}")`

All saved searches are in the savedsearches.conf file inside the app folder.

The question is: How can we extract the comments for all saved searches with a single search in Splunk GUI and table the data in the 'comment' tag?

With this search, i can get the 'search' from the savedsearches.conf, but i only want the 'comment' part of the search that gives me the field that are in the JSON, like title, type, id etc and the corresponding values:

| rest /servicesNS/-/-/saved/searches splunk_server=local | table title  search

I need to be able to split the comment field into separate fields that display the field name and the corresponding value.

Edit:

Final version with correct way of working is as follows:

| rest /servicesNS/-/-/saved/searches splunk_server=local 
 | where search like "%`comment(%" 
 | rex field=search "\`comment\(\"(?<comment>.*)\)\`" 
 | fields  search comment
 | spath input=comment
 | fields  - search comment

Re: Retrieve comments from savedsearches.conf via Splunk GUI

kamlesh_vaghela — Mon, 01 Apr 2019 06:20:43 GMT

@ramgnisiv
Can you please try this?

| rest /servicesNS/-/-/saved/searches splunk_server=local 
| where search like "%`comment(%" 
| rex field=search "\`comment\(\"(?<comment>.*)\)\`" | table title search comment

Thanks

Re: Retrieve comments from savedsearches.conf via Splunk GUI

woodcock — Mon, 01 Apr 2019 06:26:01 GMT

Like this:

| rest /servicesNS/-/-/saved/searches splunk_server=local | table title  search
| makemv tokenizer="\s*\|\s*([^\|]+)" search
| eval search = mvfilter(match(search, "\s*`comment"))
| rename search AS comments

Re: Retrieve comments from savedsearches.conf via Splunk GUI

ramgnisiv — Mon, 01 Apr 2019 06:48:30 GMT

I get the following error when i apply this search:

Error in 'SearchParser': Missing a closing tick mark for macro expansion.

Re: Retrieve comments from savedsearches.conf via Splunk GUI

ramgnisiv — Mon, 01 Apr 2019 06:49:14 GMT

I get an empty comments field when i apply this search

Re: Retrieve comments from savedsearches.conf via Splunk GUI

woodcock — Mon, 01 Apr 2019 06:51:15 GMT

I made a slight adjustment. Try it now.

Re: Retrieve comments from savedsearches.conf via Splunk GUI

ramgnisiv — Mon, 01 Apr 2019 07:01:27 GMT

I still get empty comment fields for all saved searches with the adjustment you did.

Re: Retrieve comments from savedsearches.conf via Splunk GUI

kamlesh_vaghela — Mon, 01 Apr 2019 08:39:53 GMT

@@ramgnisiv

I have updated my answer.

Can you try it?

Re: Retrieve comments from savedsearches.conf via Splunk GUI

ramgnisiv — Mon, 01 Apr 2019 09:15:48 GMT

This works, now i need to split the comment field into separate fields, called type, title, id, dataSource, dataSourceTechName, dataSourceGuiName, scheduleFrequency

These fields must display the values that correspond to the fields.

Any thoughts on how to do that also?

Re: Retrieve comments from savedsearches.conf via Splunk GUI

ramgnisiv — Mon, 01 Apr 2019 09:36:09 GMT

i did it with spath, i will share it in the question

Re: Retrieve comments from savedsearches.conf via Splunk GUI

ramgnisiv — Mon, 01 Apr 2019 09:37:07 GMT

The final version i needed is based on Kamlesh's answer with the addition of the spath command

| rest /servicesNS/-/-/saved/searches splunk_server=local 
 | where search like "%`comment(%" 
 | rex field=search "\`comment\(\"(?<comment>.*)\)\`" 
 | fields  search comment
 | spath input=comment
 | fields  - search comment

Re: Retrieve comments from savedsearches.conf via Splunk GUI

kamlesh_vaghela — Mon, 01 Apr 2019 11:50:21 GMT

@ramgnisiv

Gald to help you

Happy Splunking