Re: savedsearch internal parameter

damucka · ‎08-03-2019

I have quite a complicated search that I shifted into the savedsearch.
In this savedsearch I have some parameters, let us say $param1 - but these are "internal" parameters of the savedsearch, not the ones passed from the outside to it.

Now, when I call my savedsearch from another search, I get of course an error that the $param1 is not passed during the call.

How would I overcome this?

Kind Regards,
Kamil

arjunpkishore5 · ‎08-03-2019

Could you paste an example.

I'm not really sure of the problem you're facing. One way to differentiate between different levels of parameters is by using $$param$$ instead of $param$.

damucka · ‎08-03-2019

Okay, I execute the following search:

|makeresults | eval trigger=0|eval decision=if(trigger==1,[|savedsearch rtedump_trigger_on_BWP_hosts|eval t=sourcetype|return $t],0)

and my savedsearch rtedump_trigger_on_BWP_hosts looks as follows:

| makeresults

 |rename comment AS " *********************************** Set the list of hosts ***********************************************  "
 | eval master1 ="ls5920", 
        slave11 ="ls5921", 
        slave12 ="ls5922",
        slave13 ="ls5923", 
        slave14 ="ls5924",      
        master2 ="ls5925", 
        slave21 ="ls5926", 
        slave22 ="ls5927",
        slave23 ="ls5928", 
        slave24 ="ls5929"        
 | table [|makeresults |  eval search ="master1 slave11 slave12 slave13 slave14 master2 slave21 slave22 slave23 slave24" | table search ] 
 | transpose 
 | rename "row 1" AS host_to_trigger 
 | table host_to_trigger



 |rename comment AS " *********************************** Start rtedump triggering  *********************************************  "

 | eval triggertime = strftime(now(),"%H:%M")
 | table host_to_trigger triggertime   

 | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump -f /usr/sap/BWP/HDB02/$$host_to_trigger$$/trace/DB_BWP/iAlerting_rtedump_ANOMALY_$$triggertime$$.trc','$$host_to_trigger$$:30240',?)\" connection=\"HANA_MLBSO_BWP\" "

 |rename comment AS " *********************************** End rtedump triggering  ************************************************  "

So, as you see I added the additional $ around the savedsearch parameters. These are set in the savedsearch itself and I do not want to pass them from the first search.
... Unfortunately now the result is, that the savedsearch gets executed, so the additional $ did the trick, ... but it should not, because the trigger is set to 0 with the first eval. Also I am getting the error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'.

Somehow I do not understand it. Why the savedsearch gets executed at all?
And why the error?

arjunpkishore5 · ‎08-04-2019

The saved_search is getting executed regardless. I'm guessing you do not want the saved_search to execute if trigger is set to 1. For that, pass a variable to the saved search similar to this

arjunpkishore5 · ‎08-04-2019

In your saved search

`
|makeresults
|where 1==$trigger$

`

damucka · ‎08-04-2019

Unfortunately not.
The savedsearch still gets executed, despite of the where statement at the beginning. Isnt the where only for the result filtering?
Additionally I am getting the error now:

Error in 'map': Did not find value for required attribute 'host_to_trigger'.

Kind Regards,
Kamil

savedsearch internal parameter

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation