How to pass search name to savedsearch

damucka · ‎08-01-2019

Hello,

I have the following search, which works fine and returns the proper result "RCA_MEMORY":

|makeresults
 | eval mysearch = 
   [
   |dbxquery query="call \"ML\".\"ML.PROCEDURES::PR_ALERT_TYPE_ANALYSING_LAST_MINUTES_AND_MISSING_DATA_ALL_HOSTS\"('BWP', to_timestamp(to_nvarchar('2019-07-16 18:53:00', 'YYYY-MM-DD HH24:MI'),'YYYY-MM-DD HH24:MI'), ?)" connection="HANA_MLBSO" 
   | eval mysearch = if(like(RCA_TO_REPORT, "%MEMORY%"), "\"RCA_MEMORY\"",
                          (if(like(RCA_TO_REPORT, "%CPU%"), "\"RCA_CPU\"", 0)))
   | return $mysearch
   ]
 | eval f1 = "\"" 
 | strcat f1 mysearch f1 mysearchname
 | return $mysearchname

But when I now wrap it and pass to the savedsearch command, I get the following error:
Error in 'eval' command: Failed to parse the provided arguments. Usage: eval dest_key = expression
The code loos as follows:

 |savedsearch [
    |makeresults
     | eval mysearch = 
       [
       |dbxquery query="call \"ML\".\"ML.PROCEDURES::PR_ALERT_TYPE_ANALYSING_LAST_MINUTES_AND_MISSING_DATA_ALL_HOSTS\"('BWP', to_timestamp(to_nvarchar('2019-07-16 18:53:00', 'YYYY-MM-DD HH24:MI'),'YYYY-MM-DD HH24:MI'), ?)" connection="HANA_MLBSO" 
       | eval mysearch = if(like(RCA_TO_REPORT, "%MEMORY%"), "\"RCA_MEMORY\"",
                              (if(like(RCA_TO_REPORT, "%CPU%"), "\"RCA_CPU\"", 0)))
       | return $mysearch
       ]
     | eval f1 = "\"" 
     | strcat f1 mysearch f1 mysearchname
     | return $mysearchname
     ]

Please advice.

Kind regards,
Kamil

How to pass search name to savedsearch

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life