Splunk Search

How to save bracket syntax in a report

jip31
Motivator

Hi
In my XML file, I use the syntax below which works perfectly

   | search SITE=$tok_filtersite|s$ 

But I need to save it in a report but it doesn't work.
I tried with ""

      | search SITE="$tok_filtersite|s$ "

With this, I can save the report but the filter token doesn't work.
What should I do, please?

0 Karma
1 Solution

DavidHourani
Super Champion

Hi @jip31,

In your savedsearch keep the token as $tok_filtersite$ and when you call your saved search call it as follows :

...
 <query>| savedsearch "Your SavedSearch" tok_filtersite="$tok_filtersite|s$"</query>
...

You will send the escaped value directly to your saved search, no need to escape it twice.

Cheers,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi @jip31,

In your savedsearch keep the token as $tok_filtersite$ and when you call your saved search call it as follows :

...
 <query>| savedsearch "Your SavedSearch" tok_filtersite="$tok_filtersite|s$"</query>
...

You will send the escaped value directly to your saved search, no need to escape it twice.

Cheers,
David

0 Karma

jip31
Motivator

hi many thanks

0 Karma

jip31
Motivator

hummm
do I have to do something like this??

[| inputlookup host.csv 
    | table host] `CPU` tok_filtersite="$tok_filtersite|s$"
| where process_cpu_used_percent>80 
| bucket _time span=3m 
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
| search SITE=$tok_filtersite|s$ 
| stats dc(host)
0 Karma

DavidHourani
Super Champion

Is this your saved search ? If so it should be like this :

 [| inputlookup host.csv 
     | table host] `CPU` tok_filtersite="$tok_filtersite$"
 | where process_cpu_used_percent>80 
 | bucket _time span=3m 
 | lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE 
 | search SITE=$tok_filtersite$ 
 | stats dc(host)

And then when you call it from a dashboard, you call it like this :

 ...
  | savedsearch "Your SavedSearch" tok_filtersite="$tok_filtersite|s$"
 ...
0 Karma

jip31
Motivator

OK thanks...

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...