Reporting

How to pass a time field parameter to a saved search?

jwhit
Engager

I have a saved search which I would like to pass a _index_earliest=XXX parameter to. I am trying to make a search that will give information based on a specified time that can be configured by calling the saved search and then entering the specified time. For example, the call might look something like | savedsearch saved_search_name _index_earliest=xxx. I am aware that you can do this with host, but I am having trouble trying to do this with a time. I would be joining this search with another search that uses a different time, which is why I simply can't use the time set options provided in the drop-down.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi jwit,

You can pass parameters into saved searches from a dashboard... just not directly.

Replace your searchName with searchString using this:

 | savedsearch Perfmon_Processor_ProcessorTime_Total host=$host$

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/savedsearch

If you want to use earliest, then you need to pass it as arguments to the | savedsearch command, within the search string, e.g., | savedsearch earliest=-24h@h.

Hope that helps ...

cheers, MuS

woodcock
Esteemed Legend

This is common, you just user latest and earliest like this:

earliest=xxx latest=now() your search text

You can chain it like this:

outer search stuff with time set by timepicker | stats latest(_time) AS earliestTime | map search="earliest=$earliestTime$ latest=now() search inner search stuff"
0 Karma

jwhit
Engager

I am confused, where would the user pass in the value for earliest if it is getting the value from the stats latest (_time) function

0 Karma

woodcock
Esteemed Legend

By what method are you getting input from users? If I understand you correctly now, you would not use a saved search, you would use a macro (with the guts from your saved search) and then use the earliest=$earliest$ construct.

0 Karma

jwhit
Engager

Okay, so by that do you mean that the guts from my savesearch will be stored in a macro, and the earliest field will be left as "earliest=$earliest$" and so before anytime the user runs the query they would have to put in that date?

I orgianlly invisoned it being as simple as "| savedsearch saved_search_name host=$host$ (but instead of host earliest would be there). Then a user could just enter in the date without seeing all the inner workings of the query

0 Karma

woodcock
Esteemed Legend

Yes, that is exactly what I mean, by calling the macro like this:

... | `earliestmacro("December 24, 2015 23:59:59")`
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...