topic Re: Why is the substitution string is not working when using the map command to execute a saved search? in Reporting

Why is the substitution string is not working when using the map command to execute a saved search?

wfrankl2 — Thu, 05 Apr 2018 13:43:06 GMT

From the documentation
"When using a saved search or a literal search, the map command supports the substitution of $variable$ strings that match field names in the input results"
So this is a basic example of what I'm trying to do. The actual work is that I am running a search on some data and with each value returned, if any, would need to execute a different saved search. So I need to be able to assign the correct saved search name that's used based on a value in the result. then call the saved search to run. So I can't hard code the saved search in the map command because it's different for every event.

index="testdata" | eval alert="My Test Alert"
   | map $alert$

Re: Why is the substitution string is not working when using the map command to execute a saved search?

elliotproebstel — Thu, 05 Apr 2018 15:59:43 GMT

You'll need to combine the map command with the savedsearch command to reference the saved search in the mapped subsearch. Here's a little demo.

First, create a saved search called test_generate. The code in this saved search:

| makeresults 
| eval testfield="test_generate ran"

Then, test loading it in a new search:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

This will result in Splunk running your saved search and returning a stats table with the current time and testfield="test_generate ran". This can serve as a template for what you're trying to do.

Re: Why is the substitution string is not working when using the map command to execute a saved search?

wfrankl2 — Tue, 29 Sep 2020 18:56:17 GMT

hmmm ok so a little confused you are still using the actual saved search name in the map. My example I provided was not very well expressed my apologies. Let me go about it like this.
index=testindex |stats count by fielda|eval search_name=if(fielda=="John","John Alert","EveryoneElse Alert")
|map $search_name$

So if I get 2 rows back
fielda=john saved_search="John Alert"
fieldb=joan saved_search="EveroneElse Alert"

Then I get John Alert executed for the first row.
Then EveryoneElse Alert for the second row.

Re: Why is the substitution string is not working when using the map command to execute a saved search?

elliotproebstel — Thu, 05 Apr 2018 17:21:10 GMT

Ah, you're right. I didn't carry the variable through, and when I test that now, it doesn't work. I'll keep trying. Sorry about that!

Re: Why is the substitution string is not working when using the map command to execute a saved search?

elliotproebstel — Fri, 06 Apr 2018 12:55:02 GMT

Ok, I got it! Here's the revised syntax:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

Give this a try. If it works, I'll update the original answer so you can accept it.

Re: Why is the substitution string is not working when using the map command to execute a saved search?

wfrankl2 — Fri, 06 Apr 2018 14:21:26 GMT

hey that worked!!! Thank you that's perfect!

Re: Why is the substitution string is not working when using the map command to execute a saved search?

elliotproebstel — Fri, 06 Apr 2018 14:35:20 GMT

Great! I fixed the original answer, so you can accept it. Glad we got it working!