Dashboards & Visualizations

savedsearch internal parameter

damucka
Builder

I have quite a complicated search that I shifted into the savedsearch.
In this savedsearch I have some parameters, let us say $param1 - but these are "internal" parameters of the savedsearch, not the ones passed from the outside to it.

Now, when I call my savedsearch from another search, I get of course an error that the $param1 is not passed during the call.

How would I overcome this?

Kind Regards,
Kamil

0 Karma

arjunpkishore5
Motivator

Could you paste an example.

I'm not really sure of the problem you're facing. One way to differentiate between different levels of parameters is by using $$param$$ instead of $param$.

0 Karma

damucka
Builder

Okay, I execute the following search:

|makeresults | eval trigger=0|eval decision=if(trigger==1,[|savedsearch rtedump_trigger_on_BWP_hosts|eval t=sourcetype|return $t],0)

and my savedsearch rtedump_trigger_on_BWP_hosts looks as follows:

| makeresults

 |rename comment AS " *********************************** Set the list of hosts ***********************************************  "
 | eval master1 ="ls5920", 
        slave11 ="ls5921", 
        slave12 ="ls5922",
        slave13 ="ls5923", 
        slave14 ="ls5924",      
        master2 ="ls5925", 
        slave21 ="ls5926", 
        slave22 ="ls5927",
        slave23 ="ls5928", 
        slave24 ="ls5929"        
 | table [|makeresults |  eval search ="master1 slave11 slave12 slave13 slave14 master2 slave21 slave22 slave23 slave24" | table search ] 
 | transpose 
 | rename "row 1" AS host_to_trigger 
 | table host_to_trigger



 |rename comment AS " *********************************** Start rtedump triggering  *********************************************  "

 | eval triggertime = strftime(now(),"%H:%M")
 | table host_to_trigger triggertime   

 | map maxsearches=20 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump -f /usr/sap/BWP/HDB02/$$host_to_trigger$$/trace/DB_BWP/iAlerting_rtedump_ANOMALY_$$triggertime$$.trc','$$host_to_trigger$$:30240',?)\" connection=\"HANA_MLBSO_BWP\" "

 |rename comment AS " *********************************** End rtedump triggering  ************************************************  "

So, as you see I added the additional $ around the savedsearch parameters. These are set in the savedsearch itself and I do not want to pass them from the first search.
... Unfortunately now the result is, that the savedsearch gets executed, so the additional $ did the trick, ... but it should not, because the trigger is set to 0 with the first eval. Also I am getting the error:

Error in 'eval' command: The expression is malformed. An unexpected character is reached at ',0)'.

Somehow I do not understand it. Why the savedsearch gets executed at all?
And why the error?

0 Karma

arjunpkishore5
Motivator

The saved_search is getting executed regardless. I'm guessing you do not want the saved_search to execute if trigger is set to 1. For that, pass a variable to the saved search similar to this


|makeresults
| eval trigger=0
| map [|savedsearch rtedump_trigger_on_BWP_hosts($trigger$)|table sourcetype]
| eval decision=coalesce(sourcetype, 0)

0 Karma

arjunpkishore5
Motivator

In your saved search

`
|makeresults
|where 1==$trigger$

`

0 Karma

damucka
Builder

Unfortunately not.
The savedsearch still gets executed, despite of the where statement at the beginning. Isnt the where only for the result filtering?
Additionally I am getting the error now:

Error in 'map': Did not find value for required attribute 'host_to_trigger'.

Kind Regards,
Kamil

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...