Solved: savedsearch command replace with a literal string ...

chrisboy68 · ‎07-17-2020

Hi using a Report (cause I need to allow permissions to the data) in a dashboard passing tokens. Looking at the docs, I can use "savedsearch" command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch

|  savedsearch "MyReport" emailsubject_tok="Long Subject Name with + | and spaces"

When I look at the job log, only the first word is being replaced. So for my example, the job log shows emailsubject_tok as "Long". How can I pass this in as a literal string? Trying not to modify the string itself as this will be a user cutting and pasting email subject text.

Thank you!

Chris

bowesmana · ‎07-22-2020

Tokens in dashboards are variables and when used, are surrounded with $xxx$, which I am sure you know, however, a similar construct is used in the saved search command

| savedsearch Name key="value"

but these key value pairs are not 'tokens'. The savedsearch doc refers to them as "replacement placeholder terms"

So, in your saved search/report you would then surround your replacement term with quotes, so I believe in your example your saved search should be using

<base search > |  search subject="$emailsubject_tok$"

This is how I am using those terms, surrounded with quotes and I have no problems using these when they contain spaces.

Hope this works.

View solution in original post

bowesmana · ‎07-21-2020

Is that saved search command the <query> element in a dashboard?

If so, how is the emailsubject_tok value getting there, is it from a token?

I have a similar saved search and it is working fine like this, i.e. the token is appearing in the saved search as the correct data. Both of these work

<query>| savedsearch MySavedSearch device_key="$device_key$"</query>

<query>| savedsearch MySavedSearch device_key="Long Subject Name with + | and spaces"</query>

I am not quoting my saved search name, which is not necessary if it's a single word.

chrisboy68 · ‎07-22-2020

HI, thanks for the reply. It is getting populated through the dashboard, but I'm trying to do it via the console and running into issues.

| savedsearch "SavedSearches With Spaces" emailsubject_tok="Long Subject Name with + | and spaces"

emailsubject_tok is in the report like.

<base search > |  search subject=$emailsubject_tok$

Maybe I'm messing up my quotes. Are you able to use the command with a search and token that contains spaces? Thanks!

bowesmana · ‎07-22-2020

Tokens in dashboards are variables and when used, are surrounded with $xxx$, which I am sure you know, however, a similar construct is used in the saved search command

| savedsearch Name key="value"

but these key value pairs are not 'tokens'. The savedsearch doc refers to them as "replacement placeholder terms"

So, in your saved search/report you would then surround your replacement term with quotes, so I believe in your example your saved search should be using

<base search > |  search subject="$emailsubject_tok$"

This is how I am using those terms, surrounded with quotes and I have no problems using these when they contain spaces.

Hope this works.

chrisboy68 · ‎07-23-2020

Oh my, that was it. I needed to quote the token string in the Report/saved search!

Thank you!

Chris

savedsearch command replace with a literal string not working

search job inspector

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies