Dashboards & Visualizations

savedsearch internal parameter

damucka
Builder

I have quite a complicated search that I shifted into the savedsearch.
In this savedsearch I have some parameters, let us say $param1 - but these are "internal" parameters of the savedsearch, not the ones passed from the outside to it.

Now, when I call my savedsearch from another search, I get of course an error that the $param1 is not passed during the call.

How would I overcome this?

Kind Regards,
Kamil

0 Karma

arjunpkishore5
Motivator

Could you paste an example.

I'm not really sure of the problem you're facing. One way to differentiate between different levels of parameters is by using $$param$$ instead of $param$.

0 Karma

damucka
Builder

Okay, I execute the following search:

|makeresults | eval trigger=0|eval decision=if(trigger==1,[|savedsearch rtedump_trigger_on_BWP_hosts|eval t=sourcetype|return $t],0)

and my savedsearch rtedump_trigger_on_BWP_hosts looks as follows:

| makeresults

 |rename comment AS " *********************************** Set the list of hosts ***********************************************  "
 | eval master1 ="ls5920", 
        slave11 ="ls5921", 
        slave12 ="ls5922",
        slave13 ="ls5923", 
        slave14 ="ls5924",      
        master2 ="ls5925", 
        slave21 ="ls5926", 
        slave22 ="ls5927",
        slave23 ="ls5928", 
        slave24 ="ls5929"        
 | table [|makeresults |  eval search ="master1 slave11 slave12 slave13 slave14 master2 slave21 slave22 slave23 slave24" | table search ] 
 | transpose 
 | rename "row 1" AS host_to_trigger 
 | table host_to_trigger



 |rename comment AS " *********************************** Start rtedump triggering  *********************************************  "

 | eval triggertime = strftime(now(),"%H:%M")
 | table host_to_trigger triggertime   

 | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump -f /usr/sap/BWP/HDB02/$$host_to_trigger$$/trace/DB_BWP/iAlerting_rtedump_ANOMALY_$$triggertime$$.trc','$$host_to_trigger$$:30240',?)\" connection=\"HANA_MLBSO_BWP\" "

 |rename comment AS " *********************************** End rtedump triggering  ************************************************  "

So, as you see I added the additional $ around the savedsearch parameters. These are set in the savedsearch itself and I do not want to pass them from the first search.
... Unfortunately now the result is, that the savedsearch gets executed, so the additional $ did the trick, ... but it should not, because the trigger is set to 0 with the first eval. Also I am getting the error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'.

Somehow I do not understand it. Why the savedsearch gets executed at all?
And why the error?

0 Karma

arjunpkishore5
Motivator

The saved_search is getting executed regardless. I'm guessing you do not want the saved_search to execute if trigger is set to 1. For that, pass a variable to the saved search similar to this


|makeresults
| eval trigger=0
| map [|savedsearch rtedump_trigger_on_BWP_hosts($trigger$)|table sourcetype]
| eval decision=coalesce(sourcetype, 0)

0 Karma

arjunpkishore5
Motivator

In your saved search

`
|makeresults
|where 1==$trigger$

`

0 Karma

damucka
Builder

Unfortunately not.
The savedsearch still gets executed, despite of the where statement at the beginning. Isnt the where only for the result filtering?
Additionally I am getting the error now:

Error in 'map': Did not find value for required attribute 'host_to_trigger'.

Kind Regards,
Kamil

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...