Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to run query returned from Rest?

SMM10
Explorer
‎05-13-2022 01:45 PM

I am working on something to return our alerts from rest functions. What I want to do is allow users to historically look at the alert query and see what adjustments can be made to certain items.

 

| rest "/servicesNS/-/-/saved/searches"
| search title="SomeAlert"
| fields qualifiedSearch

 

From the search above, I want Splunk to run the qualifiedfieldsearch; which is the search string. Is this something that is possible?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2022 12:11 AM

Try something like this

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$search$

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2022 12:11 AM

Try something like this

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$search$
Reply
Solved! Jump to solution

SMM10
Explorer
‎05-17-2022 10:31 AM

This worked perfect, thank you! As a follow up if I wanted to use this in a dashboard would I need to do anything to the token. It runs as  a search fine but in a dashboard it seems to be waiting for the query token to get set.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2022 11:23 AM

For dashboards, you have to double-dollar the variable names

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$$search$$
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-13-2022 10:00 PM

Hi @SMM10,

you should see the "sevedsearchcommand" (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch).

you could use your search in a panel and on click you could drilldown in another panel or dashboard executing the choosen search.

but the field to pass as parameter is "title" not "qualifiedSearch".

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

SMM10
Explorer
‎05-17-2022 10:59 AM

Thanks for the input! In this case I want to edit the search before running, so I don't want it to really run as is with an existing job result or even with the current query. I am using it as a historical analysis on alerts to review how they missed or how far off they were during an event that it doesn't capture.

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...