I have quite a complicated search that I shifted into the savedsearch.
In this savedsearch I have some parameters, let us say $param1 - but these are "internal" parameters of the savedsearch, not the ones passed from the outside to it.
Now, when I call my savedsearch from another search, I get of course an error that the $param1 is not passed during the call.
How would I overcome this?
Kind Regards,
Kamil
Could you paste an example.
I'm not really sure of the problem you're facing. One way to differentiate between different levels of parameters is by using $$param$$ instead of $param$.
Okay, I execute the following search:
|makeresults | eval trigger=0|eval decision=if(trigger==1,[|savedsearch rtedump_trigger_on_BWP_hosts|eval t=sourcetype|return $t],0)
and my savedsearch rtedump_trigger_on_BWP_hosts looks as follows:
| makeresults
|rename comment AS " *********************************** Set the list of hosts *********************************************** "
| eval master1 ="ls5920",
slave11 ="ls5921",
slave12 ="ls5922",
slave13 ="ls5923",
slave14 ="ls5924",
master2 ="ls5925",
slave21 ="ls5926",
slave22 ="ls5927",
slave23 ="ls5928",
slave24 ="ls5929"
| table [|makeresults | eval search ="master1 slave11 slave12 slave13 slave14 master2 slave21 slave22 slave23 slave24" | table search ]
| transpose
| rename "row 1" AS host_to_trigger
| table host_to_trigger
|rename comment AS " *********************************** Start rtedump triggering ********************************************* "
| eval triggertime = strftime(now(),"%H:%M")
| table host_to_trigger triggertime
| map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump -f /usr/sap/BWP/HDB02/$$host_to_trigger$$/trace/DB_BWP/iAlerting_rtedump_ANOMALY_$$triggertime$$.trc','$$host_to_trigger$$:30240',?)\" connection=\"HANA_MLBSO_BWP\" "
|rename comment AS " *********************************** End rtedump triggering ************************************************ "
So, as you see I added the additional $ around the savedsearch parameters. These are set in the savedsearch itself and I do not want to pass them from the first search.
... Unfortunately now the result is, that the savedsearch gets executed, so the additional $ did the trick, ... but it should not, because the trigger is set to 0 with the first eval. Also I am getting the error:
Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'.
Somehow I do not understand it. Why the savedsearch gets executed at all?
And why the error?
The saved_search is getting executed regardless. I'm guessing you do not want the saved_search to execute if trigger is set to 1. For that, pass a variable to the saved search similar to this
|makeresults
| eval trigger=0
| map [|savedsearch rtedump_trigger_on_BWP_hosts($trigger$)|table sourcetype]
| eval decision=coalesce(sourcetype, 0)
In your saved search
`
|makeresults
|where 1==$trigger$
`
Unfortunately not.
The savedsearch still gets executed, despite of the where statement at the beginning. Isnt the where only for the result filtering?
Additionally I am getting the error now:
Error in 'map': Did not find value for required attribute 'host_to_trigger'.
Kind Regards,
Kamil