I have a saved table dataset in Splunk. When I choose to "Investigate in Search" this table dataset, I see
sample 1
| from datamodel:"My_Table_ForDay"
The SPL My_Table_ForDay looks like the following:
sample 2
index="my_index"
sourcetype="*"
earliest=@d
latest=now
| fields
_time
statusCode
result
| table
_time
statusCode
result
I would like to reuse My_Table_ForDay for separate days. In other words, I would like to pass a value to the datamodel that's used in the query. I want to use a parameter for the earliest attribute. For example, I would pass the following parameter values:
@d-1d@d-2d@dHow do I a) pass a value from sample 1 and b) use a parameter in sample 2?
Thank you.
The from command does not support passing arguments. The savedsearch command does, however. You could save Sample2 as this saved search
index="my_index"
sourcetype="*"
earliest=$earliest_time$
latest=now
| fields
_time
statusCode
result
| table
_time
statusCode
result
And then invoke it using `| savedsearch My_Table_ForDay earliest_time="@d". See https://docs.splunk.com/Documentation/Splunk/8.2.6/SearchReference/Savedsearch for details.