You can add arguments to your user functions by using the ?argname in your saved query. The saved query can be called with the supplied arguments value for each named paarameter. For example, given the following query:

host = ?host

Now save the query as findhost, you can execute the query using:

$findhost(host="gendarme")

The parameter and value provided to saved queries in this way are limited to string values.

Multiple arguments can be added during the process. For example, when processing syslog data you can parse the content, create new fields, and then query that in the output:

regex(regex="Service exited due to (?<signal>\S+)")
| signal = ?signal
| regex(regex="sent by (?<process>\S+)[\d+]")
| process = ?process

Now we have two arguments which we can save to as a query killedprocess and then query for killed processes:

$killedprocess(signal="SIGKILL", process="mds")

To call with only one argument, you can set a default value for the argument using ?{argument=default}, for example:

?{signal="*" }
| ?{process="*"}
| regex(regex="Service exited due to (?<signal>\S+)")
| signal = ?signal
| regex(regex="sent by (?<process>\S+)\[\d+\]")
| process = ?process

Now you call the query with either argument:

$killedprocess(process="mds")

Starting from LogScale version 1.140, you can pass multi-valued arguments to a saved query. For example:

$mySavedQuery(mvArgument=["value1", "value2", "value3"])

It can be used to pass multiple values to functions, for example:

in(values=?mvArgument)

Saved queries can be used in subqueries, passed to query functions that allow function arguments. However, saved queries used in such context must still meet the same requirements of the function they are in.

For example, saved queries can be used in functions such as stats() or groupBy(), like this:

groupBy("myField", function=[count(), {id=42
| $"My Saved Query"() }])