Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Dynamically rewrite SPL query

eldarg
New Member
‎05-23-2025 09:45 AM

Hi, I'm trying to rewrite a given query and then execute it.

I need to do some complex lookups which can't be done with a regular macro then I thought about having a python command that will fetch the query and reconstruct it.

The issue I'm having is how to execute the new query?

I've tried with the SDK but the run time is much higher + the results return to the statistics page.

I've tried to inject the query into a field and then use map but it also wasn't successful.

Any idea that works? Maybe something I didn't try or whether if you know that one of that methods should work.

Thanks.

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2025 04:19 PM

You can do something along these lines in a SimpleXML dashboard by creating a search which generates the query you want to run and save the result to a token, and then have another panel which uses that token as its search query. 

0 Karma
Reply

eldarg
New Member
‎05-23-2025 11:52 PM

Thanks!

So dashboard is indeed a good solution.

But I’m looking for a solution that will also work on the search itself.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2025 12:35 PM

+1 on @isoutamo 's question. The underlying problem is what's important. Because sometimes you can simply use a subsearch to render it to a set of search conditions but sometimes it isn't enough and really the only reliable way to dynamically construct and run a search is the map command. Creating the whole search with a subsearch (especially if you wanted to return a multi-staged SPL or a search starting with a command other than search) generally doesn't work.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-24-2025 03:32 AM
What is an issue which you try to solve? Just a issue not how you have planned to solve it!
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...