Use Parameters in Table in Search Query in Splunk

Question

I have a saved table dataset in Splunk. When I choose to "Investigate in Search" this table dataset, I see

sample 1

| from datamodel:"My_Table_ForDay"

The SPL My_Table_ForDay looks like the following:

sample 2

index="my_index"
sourcetype="*"
earliest=@d
latest=now
| fields
  _time
  statusCode
  result
| table
  _time
  statusCode
  result

I would like to reuse My_Table_ForDay for separate days. In other words, I would like to pass a value to the datamodel that's used in the query. I want to use a parameter for the earliest attribute. For example, I would pass the following parameter values:

For today: @d
For yesterday: -1d@d
Two days ago: -2d@d

How do I a) pass a value from sample 1 and b) use a parameter in sample 2?

Thank you.

score 0 · Accepted Answer · answered May 18 '22 at 16:41

The from command does not support passing arguments. The savedsearch command does, however. You could save Sample2 as this saved search

index="my_index"
sourcetype="*"
earliest=$earliest_time$
latest=now
| fields
  _time
  statusCode
  result
| table
  _time
  statusCode
  result

And then invoke it using `| savedsearch My_Table_ForDay earliest_time="@d". See https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Savedsearch for details.

Use Parameters in Table in Search Query in Splunk

1 Answers1