Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is it possible to run query returned from Rest?

SMM10
Explorer
‎05-13-2022 01:45 PM

I am working on something to return our alerts from rest functions. What I want to do is allow users to historically look at the alert query and see what adjustments can be made to certain items.

 

| rest "/servicesNS/-/-/saved/searches"
| search title="SomeAlert"
| fields qualifiedSearch

 

From the search above, I want Splunk to run the qualifiedfieldsearch; which is the search string. Is this something that is possible?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2022 12:11 AM

Try something like this

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$search$

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2022 12:11 AM

Try something like this

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$search$
Reply
Solved! Jump to solution

SMM10
Explorer
‎05-17-2022 10:31 AM

This worked perfect, thank you! As a follow up if I wanted to use this in a dashboard would I need to do anything to the token. It runs as  a search fine but in a dashboard it seems to be waiting for the query token to get set.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2022 11:23 AM

For dashboards, you have to double-dollar the variable names

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$$search$$
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-13-2022 10:00 PM

Hi @SMM10,

you should see the "sevedsearchcommand" (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch).

you could use your search in a panel and on click you could drilldown in another panel or dashboard executing the choosen search.

but the field to pass as parameter is "title" not "qualifiedSearch".

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

SMM10
Explorer
‎05-17-2022 10:59 AM

Thanks for the input! In this case I want to edit the search before running, so I don't want it to really run as is with an existing job result or even with the current query. I am using it as a historical analysis on alerts to review how they missed or how far off they were during an event that it doesn't capture.

Tags (1)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...