Reporting

search in savedsearch for specific field value

kirrusk
Communicator

from my saved search i'm trying to get the values of a field like below

<search>
<query>| savedsearch mysearch field3 = $value$ </query>
</search>

but its not working

my report query is
index = internal |stats count by field1 field2 field3 field4

Labels (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

The savedsearch command's tokens are for input, not output so you can do this:

|savedsearch mysearch field3="$value$" ...

But this will send the value of $value$ in to be used for field3 if mysearch was written with field3 as a token.

View solution in original post

jeffland
SplunkTrust
SplunkTrust

You'll need to search after fetching your search results like this:

<search>
  <query>| savedsearch mysearch | search field3 = $value$</query>
</search>

The | savedsearch command does not support filtering the results.

Also, you might want to consider using loadjob if your search is scheduled.

0 Karma

woodcock
Esteemed Legend

The savedsearch command's tokens are for input, not output so you can do this:

|savedsearch mysearch field3="$value$" ...

But this will send the value of $value$ in to be used for field3 if mysearch was written with field3 as a token.

kirrusk
Communicator

Thank you for clarifying, It made me think in different way.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

If $value$ if a field name then,

index = internal | stats count by field1 field2 $field3$ field4

If you are filtering field3 with value $value$, then,

index = internal  field3=$field3$ | stats count by field1 field2 field3 field4

kirrusk
Communicator

my report query is
index = internal field1= (asterisk) field2=(asterisk) field3=(asterisk) field4=(asterisk) |stats count by field1 field2 field3 field4

i kept (asterisk) because not able to put asterisk symbol.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

then your report query should be:

index = internal field1= * field2=* field3=$field3$ field4=* |stats count by field1 field2 field3 field4

OR

index = internal field1= * field2=* field3=* field4=* |stats count(eval(field3=$field3$)) as count by field1 field2 field3 field4
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You say "it's not working", but don't say what results you get or what results you expect. Please elaborate.

---
If this reply helps you, Karma would be appreciated.
0 Karma

kirrusk
Communicator

like the stats with fields (field1 field2 field3 field4) are there, and i want to search the stats for specific value based on a field3. but getting all the values , not specific one.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...