Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to execute saved search with dynamic search time?

AKG1_old1
Builder
‎01-27-2020 09:49 AM

Hello,

I have to execute one saved search which required some arguments. These arguments are generated dymanically in one file. So I am looking to read that file and pass those argument to saved search.

search to get argument 
index=mlc_live sourcetype=csv 
|  table host_name earliest latest

Output
host_name earliest latest
RSAT43  1578927600  1579016736

I am looking to execute saved search for time from above search. (earliest and latest time)
My query:

index=mlc_live sourcetype=csv 
| table host_name earliest latest 
| map maxsearches=1 search="| savedsearch "TEST_KPI_MTE_ALERT_FUNCTION" host_token=$host_name$  earliest=$earliest$ latest=$latest$"

But in above query, saved search is producing results for all time.

Is there a way to execute saved search for specific duration taken from another file/search query ?

FYI : my saved search is a complex function which calling another multiple saved search searches so I can't replace this saved search with normal query.

0 Karma
Reply

to4kawa
Ultra Champion
‎01-27-2020 12:51 PM 
 | savedsearch "TEST_KPI_MTE_ALERT_FUNCTION"  [ search index=mlc_live sourcetype=csv 
| table host_name earliest latest 
| rename host_name as host_token
| format "(" "" "" "" "" ")"]

Hi, how about this?

0 Karma
Reply

AKG1_old1
Builder
‎01-28-2020 02:22 AM

Thanks, I tried this approach but it doen't work. eventhought earliest/ latest time is overriden by subsearch but still savedsearch use all time.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-28-2020 06:53 AM

Try the solution I posted below.. It's clear cut

0 Karma
Reply

to4kawa
Ultra Champion
‎01-28-2020 03:07 AM 
Time ranges
If you specify All Time in the time range picker, the savedsearch command uses the time range that was saved with the saved search.
If you specify any other time in the time range picker, the time range that you specify overrides the time range that was saved with the saved search.

check time picker.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-27-2020 10:08 AM

I've ran into this problem before and used several solutions to solve it. The name of the game is to keep load on the system low, but also use the first search to identify time based off some value then pass that values(s) to a second search

  1. Install the add-on below
  2. Create a query which will represent your first search
  3. Pass those values to the second search which lives in the alert action from the app you installed in step one
  4. Query two fires with the time parameters and any other value inherited from search one

https://splunkbase.splunk.com/app/3837/

Reply

AKG1_old1
Builder
‎01-29-2020 04:56 AM

Thanks @skoelpin

I have tried this approch but still I am not be able to get desired outcome.

    1. Outcome of first search is not been passed to second search properly.
This is how I am using my queries.    
**first search output in table** 
         |  table host_token service_earliest_time earliest latest time_token.earliest time_token.latest

    **Second search** 
   |  savedsearch "TEST_KPI_MTE_ALERT_FUNCTION"  host_token="$host_token$" service_earliest_time="$service_earliest_time$" earliest="$earliest$" latest="$latest$" time_token.earliest="$time_token.earliest$" time_token.latest="$time_token.latest$"

  1. Inspite arguments are not passed to second search, I can see second query is running but results are stored in "main" index in json format. which will be diffcult to parse. I was hopping to get results either via email or dumping in some file. extracting from logs will be difficult.

  2. I am not sure if second search will use earliest and latest time from output of first search.

This is results what I am getting in logs (tokens not having values from first search)

{"messages": [{"type": "INFO", "text": "[subsearch]: Successfully read lookup file '/hp737srv2/apps/splunk/etc/apps/Murex/lookups/KPI_MASTER_LIST.csv'."}, {"type": "WARN", "text": "Unable to run query '| savedsearch KPI_MTE_NO_OF_CRITICAL_INFRA host_token= SERVICE_EARLIEST_TIME= time_token.earliest= time_token.latest= | appendcols [ | makeresults | eval Order=7 | fillnull count ] | table ALERT count Order '."}], "earliest": "1970-01-01T01:00:00.000+01:00", "description": "Splunk Adaptive Response Search", "latest": "2020-01-29T13:27:05.%L", "search": "|  savedsearch \"TEST_KPI_MTE_ALERT_FUNCTION\"   host_token=\"\" service_earliest_time=\"\" earliest=\"\" latest=\"\" time_token.earliest=\"\" time_token.latest=\"\"", "results": [{"TYPE": "MTE_GENERIC", "Category": "INFRA", "ALERT": "KPI_MTE_NO_OF_CRITICAL_INFRA", "Alert_Description": "Total No of Critical Alerts (INFRA)", "Dashboard": "MTE_ALERTS_CRITICAL_INFRA", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "INFRA", "ALERT": "KPI_EnvStatus_INFRA", "Alert_Description": "EnvStatus INFRA", "Dashboard": "MTE_envStatus_INFRA", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_MTE_RUNTIME_BA", "Alert_Description": "Business Activities Failed", "Dashboard": "MTE_RUNTIME_BA", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_MTE_RUNTIME_BA_EOD", "Alert_Description": "BA_EOD Failed Scripts", "Dashboard": "MTE_RUNTIME_BA_EOD", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_MTE_RUNTIME_TOOLING", "Alert_Description": "MTE RUNTIME TOOLING (Not Executed)", "Dashboard": "MTE_RUNTIME_TOOLING", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MX", "ALERT": "KPI_MTE_NO_OF_CRITICAL_MX", "Alert_Description": "Total No of Critical Alerts (MX)", "Dashboard": "MTE_ALERTS_CRITICAL_MX", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_MTE_NO_OF_CORES", "Alert_Description": "Total No of Cores", "Dashboard": "MTE_ALERTS_CORES", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_MTE_ALERT_RECIPIENT_COUNT", "Alert_Description": "MTE Alerts  > 20 Per User", "Dashboard": "MTE_ALERT", "Threshold": "25"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_EnvStatus_MXTECH", "Alert_Description": "EnvStatus MXTECH", "Dashboard": "MTE_envStatus_MXTECH", "Threshold": "0"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_EnvStatus_LOAD", "Alert_Description": "EnvStatus LOAD (Value<=3)", "Dashboard": "MTE_envStatus_LOAD", "Threshold": "3"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_EnvStatus_BAU", "Alert_Description": "EnvStatus BAU (Value<=3)", "Dashboard": "MTE_envStatus_BAU", "Threshold": "3"}, {"TYPE": "MTE_GENERIC", "Category": "MTE", "ALERT": "KPI_EnvStatus_BP", "Alert_Description": "EnvStatus BP", "Dashboard": "MTE_envStatus_BP", "Threshold": "0"}]}
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎01-29-2020 08:48 AM

You can absolutely pass tokens from the first search to the second search. You need to prefix it with result then with the name of the column enclosed tin dollar signs. I use this solution quite a bit for more advanced use cases

Like this, assuming your column name is host_token

host_token="$result.host_token$"

0 Karma
Reply

AKG1_old1
Builder
‎01-29-2020 09:01 AM

Actually it worked with result.host_token but its not solving my problem. Second search is still running with all time. (Same results as using subsearch to override time)

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...