Reporting

Is it possible to pass argument to saved search via csv ?

Builder

Hi,

I am looking to get argument for savedsearch from csv.

| savedsearch MYSAVEDSERACH  host=(from csv) threshold=(from csv)

Thanks

0 Karma
1 Solution

Communicator

Hi

You could try using the map command
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Map

Here is an example

So first you define your SavedSearch with replacement placeholder terms (anything you want to replace gets enclosed inside $...$):

...
| eval host="$host_passed$"
| eval threshold="$threshold_passed$"
...

You save this search as a Report so you can use it then later with the savedsearch command. Lets call this SavedSearch MYSAVEDSEARCH.

Then you can use this in a search query as below:

| inputlookup hosts_and_thresholds.csv
| rename host as host_passed threshold as threshold_passed
| map MYSAVEDSEARCH

The fields to be replaced should have the same name as the ones defined in the SavedSearch.

Hope it helps.

View solution in original post

0 Karma

Communicator

Hi

You could try using the map command
https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Map

Here is an example

So first you define your SavedSearch with replacement placeholder terms (anything you want to replace gets enclosed inside $...$):

...
| eval host="$host_passed$"
| eval threshold="$threshold_passed$"
...

You save this search as a Report so you can use it then later with the savedsearch command. Lets call this SavedSearch MYSAVEDSEARCH.

Then you can use this in a search query as below:

| inputlookup hosts_and_thresholds.csv
| rename host as host_passed threshold as threshold_passed
| map MYSAVEDSEARCH

The fields to be replaced should have the same name as the ones defined in the SavedSearch.

Hope it helps.

View solution in original post

0 Karma

Communicator

Also you could try this:

| inputlookup hosts_and_thresholds.csv
| map search="| savedsearch MYSAVEDSEARCH host_passed=$host$ threshold_passed=$threshold$"
0 Karma