Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Can we pass a parameter to a report?

danielbb
Motivator
‎05-05-2023 07:43 AM

Is there a way to pass a parameter to a report when calling it via - 

 

curl -u user:password -k https://<api_server>:8089/servicesNS/nobody/<app_name>/search/jobs -d "search=savedsearch <savedsearch_name>" -d exec_mode=oneshot -d count=10000

 




0 Karma
Reply

ldongradi_SPL
Splunk Employee
Splunk Employee
‎01-22-2026 02:31 AM

YES

Assuming the search was saved with an SPL including a token, like $myvar$, you can call the report (aka saved search) in SPL with that syntax: | savedsearch myreport myvar=1000

Example:

| makeresults count=10 -> generates 10 stats events

| makeresults count=$myvar$ -> saved as a report named myreport

| savedsearch myreport myvar=1000 -> will run the saved search for 1000 events

Note: 

If you omit to name the expected variable when calling the saved search, you'd end up with an error. The report now expects the variable(s) to be mentioned an any run.

You can call then the saved search in CLI from the Search Head (or locally to an indexer):

/opt/splunk/bin/splunk search '| savedsearch myreport myvar=10'

or from a REST call:

curl -u user:password -k https://<api_server>:8089/servicesNS/nobody/<app_name>/search/jobs -d "search=savedsearch myreport myvar=1000" -d exec_mode=oneshot


You can also use the saved search from a Dashboard, at least from XML.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-22-2026 10:19 PM

This is very useful information!  Meanwhile, Splunk equates "saved search" with "Report".  If you save a search with token, the saved search can no longer be used as Report because the common sense of a Report is such that you open it and see output.  In such use, the "saved search" is very much just another way of saving a macro.

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎05-05-2023 10:49 PM

Depending on what you want to pass - or, in an awkward way to say it, where you want to pass into.  You cannot change SPL in a saved search when calling it.  There are limited ways to influence the output by passing CGI variables in GET method.  The most obvious, and arguably the most useful one is earliest and latest. To do so, you will need to save with Time Range Picker "Yes"; and the SPL in the saved search must not have override to earliest and latest.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...