Splunk 8.0.1: Getting error when using | from data...

bowesmana · ‎08-27-2020

I have a saved search that does:

| from datamodel:"Performance.Storage"

But, I am trying to make this saved search parameterized using:

| from datamodel:"$model$"

When I try to edit the search in the GUI, it throws this error:

Error in 'SearchOperator:datamodel': Error in 'DataModelEvaluator': Data model '$model$' was not found.

If I edit savedsearches.conf directly and change the SPL to use $model$ then it runs with no problem and parameterizes the search accordingly.

Is this a bug in the UI? I'm using Splunk 8.0.1.

bowesmana · ‎10-06-2020

The reason for parameterising the saved search is so that the search can be called from a map command passing model=X

bowesmana · ‎09-21-2020

OK, so I revisited this one - I thought I'll make a macro and give it a parameter and pass the replacement variable to the macro, i.e.

`datamodel_search("$model$")`

but that has the same problem - same message.

Are there any Splunk employees there who can confirm if the GUI behaviour is correct, i.e. it should not be allowed, or if the GUI has a bug, because in savedsearches.conf, it works when using $model$

Splunk 8.0.1: Getting error when using | from datamodel:$model$ to put parameters on a saved search.

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?