Splunk Search

Is it possible to run query returned from Rest?

SMM10
Explorer

I am working on something to return our alerts from rest functions. What I want to do is allow users to historically look at the alert query and see what adjustments can be made to certain items.

 

| rest "/servicesNS/-/-/saved/searches"
| search title="SomeAlert"
| fields qualifiedSearch

 

From the search above, I want Splunk to run the qualifiedfieldsearch; which is the search string. Is this something that is possible?

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$search$

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$search$

SMM10
Explorer

This worked perfect, thank you! As a follow up if I wanted to use this in a dashboard would I need to do anything to the token. It runs as  a search fine but in a dashboard it seems to be waiting for the query token to get set.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

For dashboards, you have to double-dollar the variable names

| makeresults 
| eval search=[| rest splunk_server=local /servicesNS/-/-/saved/searches | where title="SomeAlert" | fields qualifiedSearch | rename qualifiedSearch as query | format "" "" "" "" "" ""]
| map search="| makeresults | map search="$$search$$

gcusello
Legend

Hi @SMM10,

you should see the "sevedsearchcommand" (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Savedsearch).

you could use your search in a panel and on click you could drilldown in another panel or dashboard executing the choosen search.

but the field to pass as parameter is "title" not "qualifiedSearch".

Ciao.

Giuseppe

0 Karma

SMM10
Explorer

Thanks for the input! In this case I want to edit the search before running, so I don't want it to really run as is with an existing job result or even with the current query. I am using it as a historical analysis on alerts to review how they missed or how far off they were during an event that it doesn't capture.

Tags (1)
0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>