Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Dynamically rewrite SPL query

eldarg
New Member
‎05-23-2025 09:45 AM

Hi, I'm trying to rewrite a given query and then execute it.

I need to do some complex lookups which can't be done with a regular macro then I thought about having a python command that will fetch the query and reconstruct it.

The issue I'm having is how to execute the new query?

I've tried with the SDK but the run time is much higher + the results return to the statistics page.

I've tried to inject the query into a field and then use map but it also wasn't successful.

Any idea that works? Maybe something I didn't try or whether if you know that one of that methods should work.

Thanks.

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2025 04:19 PM

You can do something along these lines in a SimpleXML dashboard by creating a search which generates the query you want to run and save the result to a token, and then have another panel which uses that token as its search query. 

0 Karma
Reply

eldarg
New Member
‎05-23-2025 11:52 PM

Thanks!

So dashboard is indeed a good solution.

But I’m looking for a solution that will also work on the search itself.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-24-2025 12:35 PM

+1 on @isoutamo 's question. The underlying problem is what's important. Because sometimes you can simply use a subsearch to render it to a set of search conditions but sometimes it isn't enough and really the only reliable way to dynamically construct and run a search is the map command. Creating the whole search with a subsearch (especially if you wanted to return a multi-staged SPL or a search starting with a command other than search) generally doesn't work.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-24-2025 03:32 AM
What is an issue which you try to solve? Just a issue not how you have planned to solve it!
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...