Solved: Re: savedsearch command replace with a literal str...

chrisboy68 · ‎07-17-2020

Hi using a Report (cause I need to allow permissions to the data) in a dashboard passing tokens. Looking at the docs, I can use "savedsearch" command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch

|  savedsearch "MyReport" emailsubject_tok="Long Subject Name with + | and spaces"

When I look at the job log, only the first word is being replaced. So for my example, the job log shows emailsubject_tok as "Long". How can I pass this in as a literal string? Trying not to modify the string itself as this will be a user cutting and pasting email subject text.

Thank you!

Chris

bowesmana · ‎07-22-2020

Tokens in dashboards are variables and when used, are surrounded with $xxx$, which I am sure you know, however, a similar construct is used in the saved search command

| savedsearch Name key="value"

but these key value pairs are not 'tokens'. The savedsearch doc refers to them as "replacement placeholder terms"

So, in your saved search/report you would then surround your replacement term with quotes, so I believe in your example your saved search should be using

<base search > |  search subject="$emailsubject_tok$"

This is how I am using those terms, surrounded with quotes and I have no problems using these when they contain spaces.

Hope this works.

View solution in original post

bowesmana · ‎07-21-2020

Is that saved search command the <query> element in a dashboard?

If so, how is the emailsubject_tok value getting there, is it from a token?

I have a similar saved search and it is working fine like this, i.e. the token is appearing in the saved search as the correct data. Both of these work

<query>| savedsearch MySavedSearch device_key="$device_key$"</query>

<query>| savedsearch MySavedSearch device_key="Long Subject Name with + | and spaces"</query>

I am not quoting my saved search name, which is not necessary if it's a single word.

chrisboy68 · ‎07-22-2020

HI, thanks for the reply. It is getting populated through the dashboard, but I'm trying to do it via the console and running into issues.

| savedsearch "SavedSearches With Spaces" emailsubject_tok="Long Subject Name with + | and spaces"

emailsubject_tok is in the report like.

<base search > |  search subject=$emailsubject_tok$

Maybe I'm messing up my quotes. Are you able to use the command with a search and token that contains spaces? Thanks!

bowesmana · ‎07-22-2020

Tokens in dashboards are variables and when used, are surrounded with $xxx$, which I am sure you know, however, a similar construct is used in the saved search command

| savedsearch Name key="value"

but these key value pairs are not 'tokens'. The savedsearch doc refers to them as "replacement placeholder terms"

So, in your saved search/report you would then surround your replacement term with quotes, so I believe in your example your saved search should be using

<base search > |  search subject="$emailsubject_tok$"

This is how I am using those terms, surrounded with quotes and I have no problems using these when they contain spaces.

Hope this works.

chrisboy68 · ‎07-23-2020

Oh my, that was it. I needed to quote the token string in the Report/saved search!

Thank you!

Chris

savedsearch command replace with a literal string not working

other

search job inspector

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update