Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Pass variable value to savedsearch

kk2204
Explorer
‎01-17-2024 10:05 AM

Hi,

I am having issues passing value into savedsearch

Below is the simplified version of my query:

| inputlookup alert_thresholds.csv 
| search Alert="HTTP 500" 
| stats values(Critical) as Critical 
| appendcols [| savedsearch "Events_list" perc=Critical]


basically what I want to do is to use Critical value as the value of perc in subsearch but it seems to not work correctly. I get no results. When I replace Critical with 10 in the subsearch it works just fine.


Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-17-2024 01:57 PM

You cannot pass things into the subsearch in Splunk. Subsearches run before the outer search, so the appendcols subsearch has no knowledge of Critical.

Maybe you can share your saved search and more detail of the primary search, as there is probably a way to craft it that can work - it looks like you're using the saved search as some kind of lookup.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-17-2024 05:00 PM

The appendcols command runs after the main search, but it's true the subsearch has no awareness of fields outside the subsearch.  Thanks for pointing that out, @bowesmana 

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-17-2024 10:53 AM

The RHS of arguments in the savedsearch command is expected to be a string rather than a field name.  You might try putting the value in single quotes to see if the forces it to be treated as a field.

| appendcols [| savedsearch "Events_list" perc='Critical']

There's a wrinkle, however.  The Critical field is multi-value (because of the values function) and most commands don't work well with multi-value fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...