Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

unable to use loadjob to access field value of a previous savedsearch

newsplunker2024
Explorer
‎07-31-2024 09:07 PM

I am trying to get value of a field from a previous scheduled savedsearch in a new field using loadjob, however unable to get it to work.

I am using something like:

index=my_pers_index sourcetype=ACCT

| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]

wherein,

myuserid - owner id

my_app - is the application name

my_saved_search - name of the saved search that is present in savedsearches.conf & is scheduled

actor is a field name in - my_saved_search

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-31-2024 10:53 PM

OK. If you do

 [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]

Splunk will run the subsearch - load the saved search and return a string containing

actor=something

Which means your main search will effectively be

index=my_pers_index sourcetype=ACCT
| eval userid = actor=something

This is not a valid SPL. Eval - as your error says - needs an asignment of field=value.

You need to return just the value from your subsearch. And for that there is a special syntax.

index=my_pers_index sourcetype=ACCT
| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return $actor]

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-31-2024 09:26 PM

1. This is not a valid SPL. Please post your literal search in a code block or preformatted paragraph.

2. What do you mean "unable to work"? What results are you getting?

0 Karma
Reply
Solved! Jump to solution

newsplunker2024
Explorer
‎07-31-2024 10:47 PM

Apologies I am new to SPL.

My requirement is to get values of a previously run saved search in a new field in current search.

And I have only changed the names in my original search, it is what I was trying to use:

 

index=my_pers_index sourcetype=ACCT
| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]

I was getting Error in 'EvalCommand': Failed to parse the provided arguments. Usage: eval dest_key = expression.

Which possibly means, the block of commands in [] is not returning a value as expected by eval. Any help on how I can get all the field values into a field in my current search would be appreciate.

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎07-31-2024 10:53 PM

OK. If you do

 [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return actor]

Splunk will run the subsearch - load the saved search and return a string containing

actor=something

Which means your main search will effectively be

index=my_pers_index sourcetype=ACCT
| eval userid = actor=something

This is not a valid SPL. Eval - as your error says - needs an asignment of field=value.

You need to return just the value from your subsearch. And for that there is a special syntax.

index=my_pers_index sourcetype=ACCT
| eval userid = [| loadjob savedsearch="myuserid:my_app:my_saved_search" | return $actor]

 

0 Karma
Reply
Solved! Jump to solution

newsplunker2024
Explorer
‎08-01-2024 12:36 AM

Thank you for your response.

I added $ sign in the return field ($actor), however I am still getting the below error.

 

Error in 'EvalCommand': Failed to parse the provided arguments. Usage: eval dest_key = expression.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-01-2024 12:42 AM

If you run your subsearch on its own does it return any values?

0 Karma
Reply
Solved! Jump to solution

newsplunker2024
Explorer
‎08-01-2024 03:02 AM

If you meant that if I run below only:

| loadjob savedsearch="myuserid:my_app:my_saved_search"

It runs & returns 0 events as last run of the search did not return any result.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-01-2024 03:07 AM

So if you have no events to extract the "actor" field value from, there is no value to substitute into main search hence the error because it effectively becomes

| eval something=

 

0 Karma
Reply
Solved! Jump to solution

newsplunker2024
Explorer
‎08-01-2024 03:37 AM

Understood. I will find a way to handle that, as my search does not return result everytime.

 

Thank you for your patience & help.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-01-2024 05:18 AM

You can use a trick of appending a static result (the fallback) and returning only the first row. The problem is that you have multiple levels of subsearch expansion so you have to make sure that you properly return the results as string. For this you have to not just use "return" but manually craft the "search" field.

| eval userid = [ | loadjob savedsearch=user:app:search 
     | append [ | makeresults | eval actor="default" ]
     | head 1
     | return "\"".actor."\"" ]
0 Karma
Reply
Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top