Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pass variable value to savedsearch

kk2204
Explorer
‎01-17-2024 10:05 AM

Hi,

I am having issues passing value into savedsearch

Below is the simplified version of my query:

| inputlookup alert_thresholds.csv 
| search Alert="HTTP 500" 
| stats values(Critical) as Critical 
| appendcols [| savedsearch "Events_list" perc=Critical]


basically what I want to do is to use Critical value as the value of perc in subsearch but it seems to not work correctly. I get no results. When I replace Critical with 10 in the subsearch it works just fine.


Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-17-2024 01:57 PM

You cannot pass things into the subsearch in Splunk. Subsearches run before the outer search, so the appendcols subsearch has no knowledge of Critical.

Maybe you can share your saved search and more detail of the primary search, as there is probably a way to craft it that can work - it looks like you're using the saved search as some kind of lookup.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-17-2024 05:00 PM

The appendcols command runs after the main search, but it's true the subsearch has no awareness of fields outside the subsearch.  Thanks for pointing that out, @bowesmana 

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-17-2024 10:53 AM

The RHS of arguments in the savedsearch command is expected to be a string rather than a field name.  You might try putting the value in single quotes to see if the forces it to be treated as a field.

| appendcols [| savedsearch "Events_list" perc='Critical']

There's a wrinkle, however.  The Critical field is multi-value (because of the values function) and most commands don't work well with multi-value fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...