Splunk Dev

How to pass parameter not starting with args to saved search by rest api

phperl
Loves-to-Learn

Normally we can pass parameter to saved search by args.* form, but how to pass parameter not starting with args. such as $host$. In spl, savedsearch can pass parameter correctly, but if I invoke saved search dispatch action by rest api, parameter not starting with args can't be accepted, it will return an error.

Sample saved search query with host as one of the parameters that I want to substitute at runtime:

index=fooindex sourcetype=foosourcetype host=$args.host$

Sample JS code to dispatch with argument substitution:

mySavedSearch.dispatch({"args.host": "foohost"}, function(err, job) {
Tags (2)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...