Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to re-use list of values.

iet_ashish
Explorer
‎04-17-2020 02:04 AM

I have a query which essentially looks like this,

| makeresults count=1 
| eval host="host1, host2, host3, host4, host5, host6" 
| makemv tokenizer="([^,]+),?" host 
| mvexpand host 
| fields - _time 
| join type=left host 
    [ search index=someIndex host IN (host1, host2, host3, host4, host5, host6) 
    | stats count as numEvents, first(field1) as field1Val, first(field2) as field2Value by host ]

As one can see I have to pass the list of hosts "host1, host2, host3, host4, host5, host6", once during "makeresults" and another time in the sub search. Is there any way to declare a variable for this list.

Is there a way to avoid this duplication. Sometimes this list of hosts can be really long. I want to send this query to a non-IT user who doesn't understand Splunk too well and was wondering if I can reduce the hassle for him.

Thanks,
Ashish

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-17-2020 04:46 AM

You can update search query to use token parameter and save this search as Report (saved search). 

| makeresults count=1 
 | eval host="$hosts$" 
 | makemv tokenizer="([^,]+),?" host 
 | mvexpand host 
 | fields - _time 
 | join type=left host 
     [ search index=someIndex host IN ($hosts$) 
     | stats count as numEvents, first(field1) as field1Val, first(field2) as field2Value by host ]

Once you save make sure to check permissions. Ask users to run saved search using savedsearch command with parameter like below:

| savedsearch saved_search_name hosts="host1, host2, host3, host4, host5, host6"

View solution in original post

Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎04-17-2020 04:46 AM

You can update search query to use token parameter and save this search as Report (saved search). 

| makeresults count=1 
 | eval host="$hosts$" 
 | makemv tokenizer="([^,]+),?" host 
 | mvexpand host 
 | fields - _time 
 | join type=left host 
     [ search index=someIndex host IN ($hosts$) 
     | stats count as numEvents, first(field1) as field1Val, first(field2) as field2Value by host ]

Once you save make sure to check permissions. Ask users to run saved search using savedsearch command with parameter like below:

| savedsearch saved_search_name hosts="host1, host2, host3, host4, host5, host6"
Reply
Solved! Jump to solution

iet_ashish
Explorer
‎04-20-2020 01:43 AM

This is exactly what I was looking for. Thanks.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-17-2020 04:29 AM

The concept you're looking for is called macros. In the UI, go to Settings -> Advanced Search -> Search Macros to create one, remember to set sharing to App, and refer to the macro in your search using backticks. See https://docs.splunk.com/Documentation/Splunk/8.0.3/Knowledge/Usesearchmacros

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-20-2020 02:32 AM

If you store the hosts inside the macro you only need to list them out once, over all searches that require this particular list.

0 Karma
Reply
Solved! Jump to solution

iet_ashish
Explorer
‎04-20-2020 01:52 AM

Unfortunately this does not work for us. Let say I define a parameterized macro - "hostlist".
Even in this case the user would have to pass the macro to query twice,

makeresults 1
| hosts=hostlist(host1, host2, host3,....)
|join type=left
| [search host IN (hostlist(host1, host2, host3,....)`)]

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Top