Reputation: 1223
Use Parameters in Table in Search Query in Splunk
I have a saved table dataset in Splunk. When I choose to "Investigate in Search" this table dataset, I see
sample 1
| from datamodel:"My_Table_ForDay"
The SPL My_Table_ForDay looks like the following:
sample 2
index="my_index"
sourcetype="*"
earliest=@d
latest=now
| fields
_time
statusCode
result
| table
_time
statusCode
result
I would like to reuse My_Table_ForDay for separate days. In other words, I would like to pass a value to the datamodel that's used in the query. I want to use a parameter for the earliest attribute. For example, I would pass the following parameter values:
- For today:
@d - For yesterday:
-1d@d - Two days ago:
-2d@d
How do I a) pass a value from sample 1 and b) use a parameter in sample 2?
Thank you.
Upvotes: 2
Views: 1556
Answers (1)
Reputation: 9926
The from command does not support passing arguments. The savedsearch command does, however. You could save Sample2 as this saved search
index="my_index"
sourcetype="*"
earliest=$earliest_time$
latest=now
| fields
_time
statusCode
result
| table
_time
statusCode
result
And then invoke it using `| savedsearch My_Table_ForDay earliest_time="@d". See https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Savedsearch for details.
Upvotes: 0
Related Questions
- how do i pass a result from one search into IN clause of another search in splunk?
- SPLUNK use result from first search in second search
- Splunk search query syntax?
- How to add multiple queries in one search in Splunk
- How to reference an eval variable in query
- How to do compound query with where clause in Splunk?
- Splunk Cloud search query with variable does not return results
- Searching for a particular kind of field in Splunk
- Adding custom fields to splunk query
- Assign a value to the variable in Splunk and use that value in the search