Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- search in savedsearch for specific field value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
from my saved search i'm trying to get the values of a field like below
<search>
<query>| savedsearch mysearch field3 = $value$ </query>
</search>
but its not working
my report query is
index = internal |stats count by field1 field2 field3 field4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The savedsearch command's tokens are for input, not output so you can do this:
|savedsearch mysearch field3="$value$" ...
But this will send the value of $value$ in to be used for field3 if mysearch was written with field3 as a token.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'll need to search after fetching your search results like this:
<search>
<query>| savedsearch mysearch | search field3 = $value$</query>
</search>
The | savedsearch command does not support filtering the results.
Also, you might want to consider using loadjob if your search is scheduled.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The savedsearch command's tokens are for input, not output so you can do this:
|savedsearch mysearch field3="$value$" ...
But this will send the value of $value$ in to be used for field3 if mysearch was written with field3 as a token.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for clarifying, It made me think in different way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If $value$ if a field name then,
index = internal | stats count by field1 field2 $field3$ field4
If you are filtering field3 with value $value$, then,
index = internal field3=$field3$ | stats count by field1 field2 field3 field4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my report query is
index = internal field1= (asterisk) field2=(asterisk) field3=(asterisk) field4=(asterisk) |stats count by field1 field2 field3 field4
i kept (asterisk) because not able to put asterisk symbol.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
then your report query should be:
index = internal field1= * field2=* field3=$field3$ field4=* |stats count by field1 field2 field3 field4
OR
index = internal field1= * field2=* field3=* field4=* |stats count(eval(field3=$field3$)) as count by field1 field2 field3 field4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You say "it's not working", but don't say what results you get or what results you expect. Please elaborate.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
like the stats with fields (field1 field2 field3 field4) are there, and i want to search the stats for specific value based on a field3. but getting all the values , not specific one.
Thanks for the Memories! Splunk University, .conf25, and our Community
Data Persistence in the OpenTelemetry Collector
Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever
