Splunk Search

Is it possible to run query returned from Rest?

SMM10
Explorer

I am working on something to return our alerts from rest functions. What I want to do is allow users to historically look at the alert query and see what adjustments can be made to certain items.

 

| rest "/servicesNS/-/-/saved/searches"
| search title="SomeAlert"
| fields qualifiedSearch

 

From the search above, I want Splunk to run the qualifiedfieldsearch; which is the search string. Is this something that is possible?

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$search$

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$search$

SMM10
Explorer

This worked perfect, thank you! As a follow up if I wanted to use this in a dashboard would I need to do anything to the token. It runs as  a search fine but in a dashboard it seems to be waiting for the query token to get set.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

For dashboards, you have to double-dollar the variable names

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$$search$$

gcusello
SplunkTrust
SplunkTrust

Hi @SMM10,

you should see the "sevedsearchcommand" (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch).

you could use your search in a panel and on click you could drilldown in another panel or dashboard executing the choosen search.

but the field to pass as parameter is "title" not "qualifiedSearch".

Ciao.

Giuseppe

0 Karma

SMM10
Explorer

Thanks for the input! In this case I want to edit the search before running, so I don't want it to really run as is with an existing job result or even with the current query. I am using it as a historical analysis on alerts to review how they missed or how far off they were during an event that it doesn't capture.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...