Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dynamically rewrite SPL query

eldarg
New Member
‎05-23-2025 09:45 AM

Hi, I'm trying to rewrite a given query and then execute it.

I need to do some complex lookups which can't be done with a regular macro then I thought about having a python command that will fetch the query and reconstruct it.

The issue I'm having is how to execute the new query?

I've tried with the SDK but the run time is much higher + the results return to the statistics page.

I've tried to inject the query into a field and then use map but it also wasn't successful.

Any idea that works? Maybe something I didn't try or whether if you know that one of that methods should work.

Thanks.

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2025 04:19 PM

You can do something along these lines in a SimpleXML dashboard by creating a search which generates the query you want to run and save the result to a token, and then have another panel which uses that token as its search query. 

0 Karma
Reply

eldarg
New Member
‎05-23-2025 11:52 PM

Thanks!

So dashboard is indeed a good solution.

But I’m looking for a solution that will also work on the search itself.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2025 12:35 PM

+1 on @isoutamo 's question. The underlying problem is what's important. Because sometimes you can simply use a subsearch to render it to a set of search conditions but sometimes it isn't enough and really the only reliable way to dynamically construct and run a search is the map command. Creating the whole search with a subsearch (especially if you wanted to return a multi-staged SPL or a search starting with a command other than search) generally doesn't work.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-24-2025 03:32 AM
What is an issue which you try to solve? Just a issue not how you have planned to solve it!
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...
li.common.scroll-to.top