topic Export dilldown search with variables substituted in Splunk Search https://community.splunk.com/t5/Splunk-Search/Export-dilldown-search-with-variables-substituted/m-p/567796#M197889 <P>Hi Team,</P><P>I have a query related to drilldown searches of notables. I want to export/show results of drilldown searches with variables substituted corresponding to each notable.</P><P>Example, consider following search:<BR />`notable` | search event_id="XXXXXX"&nbsp;| table drilldown_search,drilldown_earliest,drilldown_latest</P><P>The above search will give me drilldown search but with variables not substituted. I want the variables to be substituted in the search results.</P><P data-unlink="true">Actual result of above search -&nbsp;index=abc action=failure user="$user$"&nbsp;</P><P data-unlink="true">Desired output -&nbsp;index=abc action=failure user="johndoe@example.com"&nbsp;<BR /><BR /></P><P data-unlink="true">Let me know if any further info is needed. Thanks in advance.</P><P data-unlink="true">Regards,</P><P data-unlink="true">Shaquib</P> Tue, 21 Sep 2021 08:10:54 GMT shaquibk 2021-09-21T08:10:54Z Export dilldown search with variables substituted https://community.splunk.com/t5/Splunk-Search/Export-dilldown-search-with-variables-substituted/m-p/567796#M197889 <P>Hi Team,</P><P>I have a query related to drilldown searches of notables. I want to export/show results of drilldown searches with variables substituted corresponding to each notable.</P><P>Example, consider following search:<BR />`notable` | search event_id="XXXXXX"&nbsp;| table drilldown_search,drilldown_earliest,drilldown_latest</P><P>The above search will give me drilldown search but with variables not substituted. I want the variables to be substituted in the search results.</P><P data-unlink="true">Actual result of above search -&nbsp;index=abc action=failure user="$user$"&nbsp;</P><P data-unlink="true">Desired output -&nbsp;index=abc action=failure user="johndoe@example.com"&nbsp;<BR /><BR /></P><P data-unlink="true">Let me know if any further info is needed. Thanks in advance.</P><P data-unlink="true">Regards,</P><P data-unlink="true">Shaquib</P> Tue, 21 Sep 2021 08:10:54 GMT https://community.splunk.com/t5/Splunk-Search/Export-dilldown-search-with-variables-substituted/m-p/567796#M197889 shaquibk 2021-09-21T08:10:54Z