- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are adding comments to each search in our apps savedsearches.conf to keep our technical documentation for all saved searches as in-line as possible.
We are using Splunk native comment macro for adding comments in-line.
Inside the 'comment' tag this is done using JSON format:
`comment("{"type":"xxx","title":"yyy","id":"123","dataSource":"zzz","dataSourceTechName":"sss","dataSourceGuiName":"ttt","scheduleFrequency":"1d"}")`
All saved searches are in the savedsearches.conf file inside the app folder.
The question is: How can we extract the comments for all saved searches with a single search in Splunk GUI and table the data in the 'comment' tag?
With this search, i can get the 'search' from the savedsearches.conf, but i only want the 'comment' part of the search that gives me the field that are in the JSON, like title, type, id etc and the corresponding values:
| rest /servicesNS/-/-/saved/searches splunk_server=local | table title search
I need to be able to split the comment field into separate fields that display the field name and the corresponding value.
Edit:
Final version with correct way of working is as follows:
| rest /servicesNS/-/-/saved/searches splunk_server=local
| where search like "%`comment(%"
| rex field=search "\`comment\(\"(?<comment>.*)\)\`"
| fields search comment
| spath input=comment
| fields - search comment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The final version i needed is based on Kamlesh's answer with the addition of the spath command
| rest /servicesNS/-/-/saved/searches splunk_server=local
| where search like "%`comment(%"
| rex field=search "\`comment\(\"(?<comment>.*)\)\`"
| fields search comment
| spath input=comment
| fields - search comment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The final version i needed is based on Kamlesh's answer with the addition of the spath command
| rest /servicesNS/-/-/saved/searches splunk_server=local
| where search like "%`comment(%"
| rex field=search "\`comment\(\"(?<comment>.*)\)\`"
| fields search comment
| spath input=comment
| fields - search comment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
@ramgnisiv
Gald to help you
Happy Splunking
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/9dd94/9dd94b2e112752e754d596f78e5ce328b89fc899" alt="woodcock woodcock"
Like this:
| rest /servicesNS/-/-/saved/searches splunk_server=local | table title search
| makemv tokenizer="\s*\|\s*([^\|]+)" search
| eval search = mvfilter(match(search, "\s*`comment"))
| rename search AS comments
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get an empty comments field when i apply this search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/9dd94/9dd94b2e112752e754d596f78e5ce328b89fc899" alt="woodcock woodcock"
I made a slight adjustment. Try it now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I still get empty comment fields for all saved searches with the adjustment you did.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
@ramgnisiv
Can you please try this?
| rest /servicesNS/-/-/saved/searches splunk_server=local
| where search like "%`comment(%"
| rex field=search "\`comment\(\"(?<comment>.*)\)\`" | table title search comment
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get the following error when i apply this search:
Error in 'SearchParser': Missing a closing tick mark for macro expansion.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works, now i need to split the comment field into separate fields, called type, title, id, dataSource, dataSourceTechName, dataSourceGuiName, scheduleFrequency
These fields must display the values that correspond to the fields.
Any thoughts on how to do that also?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i did it with spath, i will share it in the question
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/de369/de36955662072a2b0e69a9b2caf31b826d7a55e8" alt="kamlesh_vaghela kamlesh_vaghela"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
@@ramgnisiv
I have updated my answer.
Can you try it?
data:image/s3,"s3://crabby-images/2f34b/2f34b8387157c32fbd6848ab5b6e4c62160b6f87" alt=""