Is there a way to run a search command and have it return the text of a query to run?
E.g. [ | gentimes start=-1 | eval foo="index=main | head 10 | table src_ip dest_ip" | fields foo | table foo ]
Is there a way to get it to execute the query stored in foo above?
The actual use case is I've written queries that are fairly complex and I'd like to create macro's to use as templates. I wrote queries that generate the query text out of laziness and I would love to turn them into macros that would "just do the right thing".
It should be possible using the rest interface, but I'm hoping to avoid that.
So just found this question, and was surprised to see that this almost works:
[ | stats count | eval s="index=main | head 1" | return $s ]
It's totally wacky to mean that Splunk lets you pass a "|" to the search and execute it like this. I said "almost worked" because I end up with 3 results, which it turns out is because the environment I tested it on had 3 indexers. Changed it to "head 5" and got back 15 results.
Interesting. Tested on a 6.2.6 environment.
Nice! forgot about this one and can add another solution which is working:
[ | gentimes start=-1 | eval foo="index=_internal | head 10 " | fields foo | rename foo -> search ]
rund this litsearch in the end:
litsearch index=_internal | head 10 | fields keepcolorder=t "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server"
Your best chance to achieve this without diving into APIs probably would have been the
| stats count | eval mysearchstring="search earliest=-2h@h latest=@h index=_internal log_level=ERROR) | timechart count by sourcetype" | map search="$mysearchstring$"
However, that wraps the generated query in quotes and escapes quotes within the query, so you can't break out of that.
@triest did you ever get it to work ? 2017 still having this problem 😕
Tonight I'll look into how to do it with the rest API's then; if some one beats me to it with a solution, I wouldn't complain 🙂
I am not sure its possible without REST APIs. One of the closest solution I figured (but sadly it didn't work)(subsearch or macro search).
[search * | head 1 | eval search="Your query here"| table search | format]
The only problem that I got was that the value will come as "Your query here" which doesn't work if there is a space there.
If I understand it correct you want to search for the result of another search? It so, you can use a subsearch like this:
YourMasterSearch [ search gentimes start=-1 | eval foo="index=main | head 10 | table src_ip dest_ip" | fields foo | table foo ]
First, this will run the search in
 and the results will be used in
Hope this helps ...
Well sorry in this case, I got you wrong. And my example will not work because of this
eval foo which will not work. I use some macros but more the other way round. The macro contains the main search and I pass values to it like
myMacro is some search and
foo is used in this search.
I don't want to search the results of another search, I want to use a query to create a query.
If you look at the above example, I set foo="index=main | head 10 | table src_ip dest_ip", I then when to execute the query index=main | head 10 | table src_ip dest_ip. I would be more then happy to add the implicit search command to the beginning.
I'm aware of sub-searches and have used them, but at least when ran as you listed above, I haven't been able to get them to do this.