Hi,
I am having issues passing value into savedsearch
Below is the simplified version of my query:
| inputlookup alert_thresholds.csv
| search Alert="HTTP 500"
| stats values(Critical) as Critical
| appendcols [| savedsearch "Events_list" perc=Critical]
basically what I want to do is to use Critical value as the value of perc in subsearch but it seems to not work correctly. I get no results. When I replace Critical with 10 in the subsearch it works just fine.
You cannot pass things into the subsearch in Splunk. Subsearches run before the outer search, so the appendcols subsearch has no knowledge of Critical.
Maybe you can share your saved search and more detail of the primary search, as there is probably a way to craft it that can work - it looks like you're using the saved search as some kind of lookup.
The appendcols command runs after the main search, but it's true the subsearch has no awareness of fields outside the subsearch. Thanks for pointing that out, @bowesmana
The RHS of arguments in the savedsearch command is expected to be a string rather than a field name. You might try putting the value in single quotes to see if the forces it to be treated as a field.
| appendcols [| savedsearch "Events_list" perc='Critical']
There's a wrinkle, however. The Critical field is multi-value (because of the values function) and most commands don't work well with multi-value fields.