Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to invoke SPL from a field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I' searching for a possibility to invoke SPL from a field. Background: I want to dynamically display tables columns. I am getting the correct format from a lookup where the field "spl" contains the output like "table host source sourcetype"
index=summary | lookup formatting.csv matchhost as host | invoke(spl)
Is there a possibility to execute spl coming from a field?
Thanks for your help in advance,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you want to sort the order of the fields in a table based on which savedsearch the events are from. For this you need to search for a specific saved_search. Then you have a lookup with a 1:1 connection between savedsearch and format. If this is true, try the following:
index=summary search_name="your_saved_search"
| table
[ | inputlookup formatting.csv
| search search_name="your_saved_search"
| fields format
| rename format as search ]
Background for this is, that a field named "search" from a subsearch is interpreted as SPL in the base search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you want to sort the order of the fields in a table based on which savedsearch the events are from. For this you need to search for a specific saved_search. Then you have a lookup with a 1:1 connection between savedsearch and format. If this is true, try the following:
index=summary search_name="your_saved_search"
| table
[ | inputlookup formatting.csv
| search search_name="your_saved_search"
| fields format
| rename format as search ]
Background for this is, that a field named "search" from a subsearch is interpreted as SPL in the base search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Well, I'd like to create a certain dashboard: maybe I need to tell more about the background: I want to store the result of an alert for later viewing. All alerts table out their results out in a different way. First idea is to use summary indexes for storing the results.
Unfurtunatly in the summary index the table columns are reordered alphabetically.
For later viewing I want to create a dashboard which calls the Summaryindex and table out the result. As the resulttable is dynamically i like to interpret spl which is coming from the lookup.
If this is not possible - i guess i've seen it somewhere in the past - im may have to create a custom alert action, but i want to use less custom code as possible.
Regards,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like you are building a dashboard, so you want to link from a field to a drilldown search.
This is a standard feature.
Here's how to link to a search:
https://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/DrilldownLinkToSearch
here's how to link to a separate dashboard:
https://docs.splunk.com/Documentation/Splunk/7.0.2/Viz/DrilldownLinkToDashboard
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series: Telemetry Pipeline Management
Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...
Deep insights, no barriers: Splunk Observability Cloud Free Edition
