Can we parametrize the splunk queries?
Here is the query and i want to parameterize the "-7".
index=xyz sourcetype=n1 earliest=-7d@d "abc p=save" " xm=POST" |
rex field=msg " tt=(?[0-9]+)" |
fields id, time |
stats count (id) as COUNT
perc50(time) as a
perc90(time) as k
Yes we can by using the time picker and use its value in the query if this is in a dashboard or report.
Please see here for similar question
Please see here docs on how to add a time picker to dashboard
For report, while saving the report, add a time picker option can be selected.
Ok…let me be more specific…
I have created a report and calling this report by ODBC connection like
Select * from splunk_report1.
This report runs the above mentioned query and i want to pass the value for the "earliest" so i can change last 7 days to last 1 day if required.