Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to save bracket syntax in a report

jip31
Motivator
‎06-24-2019 10:14 PM

Hi
In my XML file, I use the syntax below which works perfectly

   | search SITE=$tok_filtersite|s$

But I need to save it in a report but it doesn't work.
I tried with ""

      | search SITE="$tok_filtersite|s$ "

With this, I can save the report but the filter token doesn't work.
What should I do, please?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-25-2019 01:33 AM

Hi @jip31,

In your savedsearch keep the token as $tok_filtersite$ and when you call your saved search call it as follows :

...
 <query>| savedsearch "Your SavedSearch" tok_filtersite="$tok_filtersite|s$"</query>
...

You will send the escaped value directly to your saved search, no need to escape it twice.

Cheers,
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎06-25-2019 01:33 AM

Hi @jip31,

In your savedsearch keep the token as $tok_filtersite$ and when you call your saved search call it as follows :

...
 <query>| savedsearch "Your SavedSearch" tok_filtersite="$tok_filtersite|s$"</query>
...

You will send the escaped value directly to your saved search, no need to escape it twice.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎06-25-2019 01:49 AM

hi many thanks

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎06-25-2019 02:05 AM

hummm
do I have to do something like this??

[| inputlookup host.csv 
    | table host] `CPU` tok_filtersite="$tok_filtersite|s$"
| where process_cpu_used_percent>80 
| bucket _time span=3m 
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
| search SITE=$tok_filtersite|s$ 
| stats dc(host)
0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎06-25-2019 02:08 AM

Is this your saved search ? If so it should be like this :

 [| inputlookup host.csv 
     | table host] `CPU` tok_filtersite="$tok_filtersite$"
 | where process_cpu_used_percent>80 
 | bucket _time span=3m 
 | lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
 | search SITE=$tok_filtersite$ 
 | stats dc(host)

And then when you call it from a dashboard, you call it like this :

 ...
  | savedsearch "Your SavedSearch" tok_filtersite="$tok_filtersite|s$"
 ...
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎06-25-2019 02:45 AM

OK thanks...

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...