Splunk Search

Retrieve the name of the current search

Scott_Kudelski
Explorer

I would like to be able to retrieve the name of the current search to pass to a macro in the search.

Saved Search name in app "Access - Cleartext Password At Rest"

| from datamodel:"Compute_Inventory"."Cleartext_Passwords"
| `get_info($SEARCH_NAME$)`
| stats max(_time) as "lastTime",latest(_raw) as "orig_raw",values(tag) as "tag",count by "dest","user","password"

Macro "get_info"
Argument: searchname
lookup searchparms $searchname$

So in this example when the scheduled search "Access - Cleartext Password At Rest" is run, it would lookup information from "searchparms" for "Access - Cleartext Password At Rest"

Labels (2)
0 Karma

bowesmana
SplunkTrust
SplunkTrust
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try $job.label$

---
If this reply helps you, Karma would be appreciated.
0 Karma

Scott_Kudelski
Explorer

@richgalloway I was unable to get any results for $job.label$

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...