I have a saved search which I would like to pass a _index_earliest=XXX
parameter to. I am trying to make a search that will give information based on a specified time that can be configured by calling the saved search and then entering the specified time. For example, the call might look something like | savedsearch saved_search_name _index_earliest=xxx
. I am aware that you can do this with host, but I am having trouble trying to do this with a time. I would be joining this search with another search that uses a different time, which is why I simply can't use the time set options provided in the drop-down.
Hi jwit,
You can pass parameters into saved searches from a dashboard... just not directly.
Replace your searchName
with searchString
using this:
| savedsearch Perfmon_Processor_ProcessorTime_Total host=$host$
http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/savedsearch
If you want to use earliest
, then you need to pass it as arguments to the | savedsearch
command, within the search string, e.g., | savedsearch earliest=-24h@h
.
Hope that helps ...
cheers, MuS
This is common, you just user latest
and earliest
like this:
earliest=xxx latest=now() your search text
You can chain it like this:
outer search stuff with time set by timepicker | stats latest(_time) AS earliestTime | map search="earliest=$earliestTime$ latest=now() search inner search stuff"
I am confused, where would the user pass in the value for earliest if it is getting the value from the stats latest (_time) function
By what method are you getting input from users? If I understand you correctly now, you would not use a saved search, you would use a macro
(with the guts from your saved search) and then use the earliest=$earliest$
construct.
Okay, so by that do you mean that the guts from my savesearch will be stored in a macro, and the earliest field will be left as "earliest=$earliest$" and so before anytime the user runs the query they would have to put in that date?
I orgianlly invisoned it being as simple as "| savedsearch saved_search_name host=$host$ (but instead of host earliest would be there). Then a user could just enter in the date without seeing all the inner workings of the query
Yes, that is exactly what I mean, by calling the macro
like this:
... | `earliestmacro("December 24, 2015 23:59:59")`