Splunk Search

unable to use loadjob to access field value of a previous savedsearch

newsplunker2024
Explorer

I am trying to get value of a field from a previous scheduled savedsearch in a new field using loadjob, however unable to get it to work.

I am using something like:

index=my_pers_index sourcetype=ACCT

| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]

wherein,

myuserid - owner id

my_app - is the application name

my_saved_search - name of the saved search that is present in savedsearches.conf & is scheduled

actor is a field name in - my_saved_search

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

OK. If you do

 [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]

Splunk will run the subsearch - load the saved search and return a string containing

actor=something

Which means your main search will effectively be

index=my_pers_index sourcetype=ACCT
| eval userid = actor=something

This is not a valid SPL. Eval - as your error says - needs an asignment of field=value.

You need to return just the value from your subsearch. And for that there is a special syntax.

index=my_pers_index sourcetype=ACCT
| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return $actor]

 

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. This is not a valid SPL. Please post your literal search in a code block or preformatted paragraph.

2. What do you mean "unable to work"? What results are you getting?

0 Karma

newsplunker2024
Explorer

Apologies I am new to SPL.

My requirement is to get values of a previously run saved search in a new field in current search.

And I have only changed the names in my original search, it is what I was trying to use:

 

index=my_pers_index sourcetype=ACCT
| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]

I was getting Error in 'EvalCommand': Failed to parse the provided arguments. Usage: eval dest_key = expression.

Which possibly means, the block of commands in [] is not returning a value as expected by eval. Any help on how I can get all the field values into a field in my current search would be appreciate.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. If you do

 [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]

Splunk will run the subsearch - load the saved search and return a string containing

actor=something

Which means your main search will effectively be

index=my_pers_index sourcetype=ACCT
| eval userid = actor=something

This is not a valid SPL. Eval - as your error says - needs an asignment of field=value.

You need to return just the value from your subsearch. And for that there is a special syntax.

index=my_pers_index sourcetype=ACCT
| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return $actor]

 

0 Karma

newsplunker2024
Explorer

Thank you for your response.

I added $ sign in the return field ($actor), however I am still getting the below error.

 

Error in 'EvalCommand': Failed to parse the provided arguments. Usage: eval dest_key = expression.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If you run your subsearch on its own does it return any values?

0 Karma

newsplunker2024
Explorer

If you meant that if I run below only:

| loadjob savedsearch="myuserid:my_app:my_saved_search"

It runs & returns 0 events as last run of the search did not return any result.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

So if you have no events to extract the "actor" field value from, there is no value to substitute into main search hence the error because it effectively becomes

| eval something=

 

0 Karma

newsplunker2024
Explorer

Understood. I will find a way to handle that, as my search does not return result everytime.

 

Thank you for your patience & help.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You can use a trick of appending a static result (the fallback) and returning only the first row. The problem is that you have multiple levels of subsearch expansion so you have to make sure that you properly return the results as string. For this you have to not just use "return" but manually craft the "search" field.

| eval userid = [ | loadjob savedsearch=user:app:search 
     | append [ | makeresults | eval actor="default" ]
     | head 1
     | return "\"".actor."\"" ]
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...