Splunk Search

How To Pass Parameters to Saved Search Using Splunklib

Traer001
Path Finder

Hello,

Does anyone know how to pass parameters to a saved search using the splunklib for the Splunk API?

I am able to use it to get results from my saved searches, but now I would like to be able to pass a variable value to my saved search. I've seen a few examples of people using the "curl" approach, but I wanted to see if there was a way to do this by directly using the splunklib for Python.

This is the snippet of code where I retrieve my saved search and then run it.

number_of_users = 10
search_name = "Find Most Recent Users"
mysavedsearch = service.saved_searches[search_name]
job = mysavedsearch.dispatch()

 

So if I have a saved search named: Find Most Recent Users

And that search looks like:  "index=INDEX host=HOST sourcetype=SOURCETYPE | rex field=_raw "User:(?<user_id>\d+) | where isnotnull(user_id) | head $number_of_users$"

 

How would I pass the variable "number_of_users" into the above?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...