Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add dynamic value in search query?

s0k0
Observer
‎05-10-2023 07:58 AM

I have created a post curl to add data in Splunk, internally my api hits Splunk api and in that api I send data in body & that data would get created in my splunk table.
I want to add dynamic value in search query of splunk api.
How can i achieve that, please help here

 
method: "POST",
path: "/api/addSplunk",
handler: async (request, h) => {
const ccmData = getServerConfig(request);
const url = ccmData["splunkApiUrl"];
const ChannelName= request.payload.channel_name;  // I want to use this value in search query
const Channel= request.payload.channel_type;
function xmlTranslate(resp) {
return resp.text()
}
const httpsAgent = new https.Agent({
rejectUnauthorized: false
});
const options = {
method: "POST",
headers: {
"Authorization": "dr356654fy6,
"Content-Type": "application/x-www-form-urlencoded"
},
agent: httpsAgent,
translate: xmlTranslate,
body: 'search=| makeresults | eval Channel ="372864u31564719" | eval ChannelName = "4P customer" | table Channel,ChannelName | outputlookup channel.csv append=true'
};
 
const res = await fetch(url, options, xmlTranslate);
 
Right now I have hardcoded like this eval Channel ="372864u31564719" | eval ChannelName = "4P customer", I want to add dynamic value for diff use case in channel and channelName of search query (i.e coming from request payload)
Labels (1)
Labels
0 Karma
Reply

s0k0
Observer
‎05-11-2023 12:40 AM

Hi @TrangCIC81 I tried this, didn't work.

@VatsalJagani thank you so much, it works !!

 

 

 

 

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-11-2023 04:26 AM

@s0k0 - I'm glad that it works!! Kindly consider accepting my answer which helped you resolve your question, so that other community members can easily see it.

0 Karma
Reply

TrangCIC81
Communicator
‎05-11-2023 01:04 AM

Can you verify if the values for ChannelName and Channel do not contain any special characters that might interfere with the construction of the string in the body of the request?

Also try logging the values of ChannelName and Channel to the console to verify that they are being properly read.

0 Karma
Reply

s0k0
Observer
‎05-11-2023 01:11 AM

Yes, it doesn't have any special character, inside options object ChannelName and Channel value is not getting read.

Outside option object it's value is getting read, I did console and check.
So I put whole query outside the option object then get the dynamic value and append in body

const query = `| makeresults | eval Channel="${Channel}" | eval ChannelName="${ChannelName}" | table Channel,ChannelName | outputlookup channel.csv append=true`;
 
const options = {
method: "POST",
headers: {
"Authorization": authToken,
"Content-Type": "application/x-www-form-urlencoded"
},
agent: httpsAgent,
translate: xmlTranslate,
body: `search=${query}`
};
This works !!


Thank you so much for resolving.

 

0 Karma
Reply

TrangCIC81
Communicator
‎05-11-2023 01:16 AM

Ah ok. No problem. 
Cheers!!

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎05-10-2023 11:43 PM

@s0k0 - You can use query with variables, something like this:

const ChannelName= request.payload.channel_name;
const Channel= request.payload.channel_type;
const query = `| makeresults | eval Channel="${Channel}" | eval ChannelName="${ChannelName}" | table Channel,ChannelName | outputlookup channel.csv append=true`;
const options = {
  method: "POST",
  headers: {
    "Authorization": "dr356654fy6",
    "Content-Type": "application/x-www-form-urlencoded"
  },
  agent: httpsAgent,
  translate: xmlTranslate,
  body: `search=${encodeURIComponent(query)}`
};

 

Kindly upvote if you find it useful!!!

0 Karma
Reply

TrangCIC81
Communicator
‎05-10-2023 11:32 PM

To add dynamic values to your Splunk search query, you can use string interpolation. Here's an example of how you can modify your code to use the values from the request payload.
Let me know if it works.

method: "POST",
path: "/api/addSplunk",
handler: async (request, h) => {
    const ccmData = getServerConfig(request);
    const url = ccmData["splunkApiUrl"];
    const ChannelName = request.payload.channel_name;
    const Channel = request.payload.channel_type;

    function xmlTranslate(resp) {
        return resp.text()
    }

    const httpsAgent = new https.Agent({
        rejectUnauthorized: false
    });

    // Use string interpolation to insert dynamic values in the search query
    const query = `| makeresults | eval Channel="${Channel}" | eval ChannelName="${ChannelName}" | table Channel,ChannelName | outputlookup channel.csv append=true`;

    const options = {
        method: "POST",
        headers: {
            "Authorization": "dr356654fy6",
            "Content-Type": "application/x-www-form-urlencoded"
        },
        agent: httpsAgent,
        translate: xmlTranslate,
        body: `search=${encodeURIComponent(query)}`
    };
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...