Solved: When to use a search macro and why am I getting an...

DataOrg · ‎09-06-2018

The index query runs from base query, and i want to append saved search to base query.
The saved search is just a filtration query. Since i have many panels from the same index, i tried to use it.
Please give suggestions if there are any available and don't give suggestions to use directly in panel. if I have this in saved-search, I'll use in other dashboards also.

index="******" host="****" source="Perfmon" counter="Available MBytes" sourcetype="Available_Memory" |  savedsearch Prem_test

It throws below error :

Error in 'SearchParser': The savedsearch command can only be used as the first command on a search savedsearch query  "| eval Value=round(Value/1024,1) | timechart span=1h eval(round(avg(Value),2)) As "Available""

harsmarvania57 · ‎09-06-2018

Hi @DataOrg,

You need to create macro for filtration instead of creating saved search.

1.) Create macro with query eval Value=round(Value/1024,1) | timechart span=1h eval(round(avg(Value),2)) As "Available", lets say macro name is filteration_query
2.) Now modify your search query

index="" host="" source="Perfmon" counter="Available MBytes" sourcetype="Available_Memory" | filteration_query

View solution in original post

harsmarvania57 · ‎09-06-2018

Hi @DataOrg,

You need to create macro for filtration instead of creating saved search.

1.) Create macro with query eval Value=round(Value/1024,1) | timechart span=1h eval(round(avg(Value),2)) As "Available", lets say macro name is filteration_query
2.) Now modify your search query

index="" host="" source="Perfmon" counter="Available MBytes" sourcetype="Available_Memory" | filteration_query

DataOrg · ‎09-06-2018

@harsmarvania57 ... it works in search but if i add in panels results are not displaying. pls help

harsmarvania57 · ‎09-06-2018

For me it is working in Dashboard Panel, what problem are you facing ? Any error ?

DataOrg · ‎09-06-2018

@harsmarvania57 the available column is displaying empty results. but in search its shows value

harsmarvania57 · ‎09-06-2018

Please provide your Dashboard XML Code because for me it is working fine in my lab.

DataOrg · ‎09-06-2018

@harsmarvania57 this is xml and index is running in base query.. _time is displaying panel but another column which has data is not displaying

<panel>
  <table>
    <title>Data Server : Average Available Memory (In GB) gt</title>
    <search base="base_Prof">
      <query>`test_prem`</query>
    </search>
    <option name="drilldown">none</option>
    <option name="link.exportResults.visible">0</option>
    <option name="link.inspectSearch.visible">0</option>
    <option name="link.openPivot.visible">0</option>
    <option name="link.openSearch.visible">1</option>
    <option name="refresh.display">progressbar</option>
    <option name="refresh.link.visible">0</option>
  </table>
</panel>

harsmarvania57 · ‎09-06-2018

Based on document , A base search should be a transforming search that returns results formatted as a statistics table. Here I am assuming that your base search is index="*" host="*" source="Perfmon*" counter="Available MBytes" sourcetype="Available_Memory" which is not correct because you are not doing any statistic here.

DataOrg · ‎09-06-2018

@harsmarvania57 so how can i achieve this search?
can u pls share the xml how its worked for you.

harsmarvania57 · ‎09-07-2018

What you would like to achieve ? Because I used query (which I have provided in answer) directly in dashboard.

When to use a search macro and why am I getting an error from the following savedsearch?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...