topic Re: Is it possible to run query returned from Rest? in Splunk Search

Is it possible to run query returned from Rest?

SMM10 — Fri, 13 May 2022 20:55:29 GMT

I am working on something to return our alerts from rest functions. What I want to do is allow users to historically look at the alert query and see what adjustments can be made to certain items.

| rest "/servicesNS/-/-/saved/searches" | search title="SomeAlert" | fields qualifiedSearch

From the search above, I want Splunk to run the qualifiedfieldsearch; which is the search string. Is this something that is possible?

Re: Is it possible to run query returned from Rest?

gcusello — Sat, 14 May 2022 05:00:24 GMT

Hi @SMM10,

you should see the "sevedsearchcommand" (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch).

you could use your search in a panel and on click you could drilldown in another panel or dashboard executing the choosen search.

but the field to pass as parameter is "title" not "qualifiedSearch".

Ciao.

Giuseppe

Re: Is it possible to run query returned from Rest?

ITWhisperer — Sat, 14 May 2022 07:11:16 GMT

Try something like this

Re: Is it possible to run query returned from Rest?

SMM10 — Tue, 17 May 2022 17:31:16 GMT

This worked perfect, thank you! As a follow up if I wanted to use this in a dashboard would I need to do anything to the token. It runs as a search fine but in a dashboard it seems to be waiting for the query token to get set.

Re: Is it possible to run query returned from Rest?

SMM10 — Tue, 17 May 2022 17:59:03 GMT

Thanks for the input! In this case I want to edit the search before running, so I don't want it to really run as is with an existing job result or even with the current query. I am using it as a historical analysis on alerts to review how they missed or how far off they were during an event that it doesn't capture.

Re: Is it possible to run query returned from Rest?

ITWhisperer — Tue, 17 May 2022 18:23:56 GMT

For dashboards, you have to double-dollar the variable names