Splunk Search

savedsearch command replace with a literal string not working

chrisboy68
Contributor

Hi using a Report (cause I need to allow permissions to the data) in a dashboard passing tokens. Looking at the docs, I can use "savedsearch" command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch

 

 

|  savedsearch "MyReport" emailsubject_tok="Long Subject Name with + | and spaces"

 

 

 

When I look at the job log, only the first word is being replaced. So for my example, the job log shows emailsubject_tok as "Long".  How can I pass this in as a literal string? Trying not to modify the string itself as this will be a user cutting and pasting email subject text.

Thank you!

 Chris

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Tokens in dashboards are variables and when used, are surrounded with $xxx$, which I am sure you know, however, a similar construct is used in the saved search command

| savedsearch Name key="value"

but these key value pairs are not 'tokens'. The savedsearch doc refers to them as "replacement placeholder terms"

So, in your saved search/report you would then surround your replacement term with quotes, so I believe in your example your saved search should be using

 

<base search > |  search subject="$emailsubject_tok$"

 

This is how I am using those terms, surrounded with quotes and I have no problems using these when they contain spaces.

Hope this works.

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Is that saved search command the <query> element in a dashboard?

If so, how is the emailsubject_tok value getting there, is it from a token?

I have a similar saved search and it is working fine like this, i.e. the token is appearing in the saved search as the correct data. Both of these work

<query>| savedsearch MySavedSearch device_key="$device_key$"</query>

<query>| savedsearch MySavedSearch device_key="Long Subject Name with + | and spaces"</query>

I am not quoting my saved search name, which is not necessary if it's a single word.

 

 

0 Karma

chrisboy68
Contributor

HI, thanks for the reply. It is getting populated through the dashboard, but I'm trying to do it via the console and running into issues.

 

| savedsearch "SavedSearches With Spaces" emailsubject_tok="Long Subject Name with + | and spaces"

 

emailsubject_tok is in the report like.

<base search > |  search subject=$emailsubject_tok$ 

 

Maybe I'm messing up my quotes. Are you able to use the command with a search and token that contains spaces? Thanks!

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Tokens in dashboards are variables and when used, are surrounded with $xxx$, which I am sure you know, however, a similar construct is used in the saved search command

| savedsearch Name key="value"

but these key value pairs are not 'tokens'. The savedsearch doc refers to them as "replacement placeholder terms"

So, in your saved search/report you would then surround your replacement term with quotes, so I believe in your example your saved search should be using

 

<base search > |  search subject="$emailsubject_tok$"

 

This is how I am using those terms, surrounded with quotes and I have no problems using these when they contain spaces.

Hope this works.

 

0 Karma

chrisboy68
Contributor

Oh my, that was it. I needed to quote the token string in the Report/saved search! 

 

Thank you!

 

Chris

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...