Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

search in savedsearch for specific field value

kirrusk
Communicator
‎03-20-2020 02:09 AM

from my saved search i'm trying to get the values of a field like below

<search>
<query>| savedsearch mysearch field3 = $value$ </query>
</search>

but its not working

my report query is
index = internal |stats count by field1 field2 field3 field4

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-20-2020 11:31 AM

The savedsearch command's tokens are for input, not output so you can do this:

|savedsearch mysearch field3="$value$" ...

But this will send the value of $value$ in to be used for field3 if mysearch was written with field3 as a token.

View solution in original post

Reply
Solved! Jump to solution

jeffland
SplunkTrust
SplunkTrust
‎03-22-2020 11:57 PM

You'll need to search after fetching your search results like this:

<search>
  <query>| savedsearch mysearch | search field3 = $value$</query>
</search>

The | savedsearch command does not support filtering the results.

Also, you might want to consider using loadjob if your search is scheduled.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-20-2020 11:31 AM

The savedsearch command's tokens are for input, not output so you can do this:

|savedsearch mysearch field3="$value$" ...

But this will send the value of $value$ in to be used for field3 if mysearch was written with field3 as a token.

Reply
Solved! Jump to solution

kirrusk
Communicator
‎03-24-2020 05:11 AM

Thank you for clarifying, It made me think in different way.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-20-2020 08:59 AM

If $value$ if a field name then,

index = internal | stats count by field1 field2 $field3$ field4

If you are filtering field3 with value $value$, then,

index = internal  field3=$field3$ | stats count by field1 field2 field3 field4
Reply
Solved! Jump to solution

kirrusk
Communicator
‎03-20-2020 09:54 AM

my report query is
index = internal field1= (asterisk) field2=(asterisk) field3=(asterisk) field4=(asterisk) |stats count by field1 field2 field3 field4

i kept (asterisk) because not able to put asterisk symbol.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎03-20-2020 11:07 AM

then your report query should be:

index = internal field1= * field2=* field3=$field3$ field4=* |stats count by field1 field2 field3 field4

OR

index = internal field1= * field2=* field3=* field4=* |stats count(eval(field3=$field3$)) as count by field1 field2 field3 field4
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-20-2020 06:00 AM

You say "it's not working", but don't say what results you get or what results you expect. Please elaborate.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kirrusk
Communicator
‎03-20-2020 09:45 AM

like the stats with fields (field1 field2 field3 field4) are there, and i want to search the stats for specific value based on a field3. but getting all the values , not specific one.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...