Splunk Search

savedsearch command replace with a literal string not working

chrisboy68
Contributor

Hi using a Report (cause I need to allow permissions to the data) in a dashboard passing tokens. Looking at the docs, I can use "savedsearch" command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch

 

 

|  savedsearch "MyReport" emailsubject_tok="Long Subject Name with + | and spaces"

 

 

 

When I look at the job log, only the first word is being replaced. So for my example, the job log shows emailsubject_tok as "Long".  How can I pass this in as a literal string? Trying not to modify the string itself as this will be a user cutting and pasting email subject text.

Thank you!

 Chris

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Tokens in dashboards are variables and when used, are surrounded with $xxx$, which I am sure you know, however, a similar construct is used in the saved search command

| savedsearch Name key="value"

but these key value pairs are not 'tokens'. The savedsearch doc refers to them as "replacement placeholder terms"

So, in your saved search/report you would then surround your replacement term with quotes, so I believe in your example your saved search should be using

 

<base search > |  search subject="$emailsubject_tok$"

 

This is how I am using those terms, surrounded with quotes and I have no problems using these when they contain spaces.

Hope this works.

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Is that saved search command the <query> element in a dashboard?

If so, how is the emailsubject_tok value getting there, is it from a token?

I have a similar saved search and it is working fine like this, i.e. the token is appearing in the saved search as the correct data. Both of these work

<query>| savedsearch MySavedSearch device_key="$device_key$"</query>

<query>| savedsearch MySavedSearch device_key="Long Subject Name with + | and spaces"</query>

I am not quoting my saved search name, which is not necessary if it's a single word.

 

 

0 Karma

chrisboy68
Contributor

HI, thanks for the reply. It is getting populated through the dashboard, but I'm trying to do it via the console and running into issues.

 

| savedsearch "SavedSearches With Spaces" emailsubject_tok="Long Subject Name with + | and spaces"

 

emailsubject_tok is in the report like.

<base search > |  search subject=$emailsubject_tok$ 

 

Maybe I'm messing up my quotes. Are you able to use the command with a search and token that contains spaces? Thanks!

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Tokens in dashboards are variables and when used, are surrounded with $xxx$, which I am sure you know, however, a similar construct is used in the saved search command

| savedsearch Name key="value"

but these key value pairs are not 'tokens'. The savedsearch doc refers to them as "replacement placeholder terms"

So, in your saved search/report you would then surround your replacement term with quotes, so I believe in your example your saved search should be using

 

<base search > |  search subject="$emailsubject_tok$"

 

This is how I am using those terms, surrounded with quotes and I have no problems using these when they contain spaces.

Hope this works.

 

0 Karma

chrisboy68
Contributor

Oh my, that was it. I needed to quote the token string in the Report/saved search! 

 

Thank you!

 

Chris

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...