Splunk Search

Pass variable value to savedsearch

kk2204
Explorer

Hi,

I am having issues passing value into savedsearch

Below is the simplified version of my query:

| inputlookup alert_thresholds.csv 
| search Alert="HTTP 500" 
| stats values(Critical) as Critical 
| appendcols [| savedsearch "Events_list" perc=Critical]


basically what I want to do is to use Critical value as the value of perc in subsearch but it seems to not work correctly. I get no results. When I replace Critical with 10 in the subsearch it works just fine.


Labels (1)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

You cannot pass things into the subsearch in Splunk. Subsearches run before the outer search, so the appendcols subsearch has no knowledge of Critical.

Maybe you can share your saved search and more detail of the primary search, as there is probably a way to craft it that can work - it looks like you're using the saved search as some kind of lookup.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The appendcols command runs after the main search, but it's true the subsearch has no awareness of fields outside the subsearch.  Thanks for pointing that out, @bowesmana 

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

The RHS of arguments in the savedsearch command is expected to be a string rather than a field name.  You might try putting the value in single quotes to see if the forces it to be treated as a field.

| appendcols [| savedsearch "Events_list" perc='Critical']

There's a wrinkle, however.  The Critical field is multi-value (because of the values function) and most commands don't work well with multi-value fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...