Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dynamically rewrite SPL query

eldarg
New Member
a month ago

Hi, I'm trying to rewrite a given query and then execute it.

I need to do some complex lookups which can't be done with a regular macro then I thought about having a python command that will fetch the query and reconstruct it.

The issue I'm having is how to execute the new query?

I've tried with the SDK but the run time is much higher + the results return to the statistics page.

I've tried to inject the query into a field and then use map but it also wasn't successful.

Any idea that works? Maybe something I didn't try or whether if you know that one of that methods should work.

Thanks.

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
a month ago

You can do something along these lines in a SimpleXML dashboard by creating a search which generates the query you want to run and save the result to a token, and then have another panel which uses that token as its search query. 

0 Karma
Reply

eldarg
New Member
a month ago

Thanks!

So dashboard is indeed a good solution.

But I’m looking for a solution that will also work on the search itself.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
a month ago

+1 on @isoutamo 's question. The underlying problem is what's important. Because sometimes you can simply use a subsearch to render it to a set of search conditions but sometimes it isn't enough and really the only reliable way to dynamically construct and run a search is the map command. Creating the whole search with a subsearch (especially if you wanted to return a multi-staged SPL or a search starting with a command other than search) generally doesn't work.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
a month ago
What is an issue which you try to solve? Just a issue not how you have planned to solve it!
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...