https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34823#M7580 <P>No joy, still gives the same error :-(. Thanks though.</P> Thu, 16 May 2013 14:00:16 GMT phemmer 2013-05-16T14:00:16Z https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34819#M7576 <P>I am trying to create a macro which uses <CODE>$startime$</CODE> and <CODE>$endtime$</CODE> in a <CODE>map</CODE>. Whenever I do however I get the following error:</P> <PRE><CODE>Error in 'map': Did not find value for required attribute 'starttime'. </CODE></PRE> <P>Also this only happens if I specify a search time frame such as "Last 15 minutes". If I specify a custom time frame with specific beginning and end it works.</P> <P>Here is the macro:</P> <PRE><CODE>$search$ | localize timebefore=10s timeafter=10s | map search="search ( ($search$) OR ($filter$) ) starttimeu=$starttime$ endtimeu=$endtime$" | eval _raw=strftime(_time, "%T")." - "._raw | transaction maxpause=10s </CODE></PRE> <P>The parameters are <CODE>search</CODE> and <CODE>filter</CODE>.</P> <P>Additionally when I run the macro by hand, substituting the parameters, it works.</P> <P>For example, this fails:</P> <PRE><CODE>`surrounding("status&gt;=500 status&lt;=599", "error")` </CODE></PRE> <P>But this works:</P> <PRE><CODE>status&gt;=500 status&lt;=599 | localize timebefore=10s timeafter=10s | map search="search ( (status&gt;=500 status&lt;=599) OR (error) ) starttimeu=$starttime$ endtimeu=$endtime$" | eval _raw=strftime(_time, "%T")." - "._raw | transaction maxpause=10s </CODE></PRE> Wed, 15 May 2013 15:31:37 GMT https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34819#M7576 phemmer 2013-05-15T15:31:37Z https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34820#M7577 <P>you are not passing $starttime$ and $endtime$ as arguments in macro call...</P> <P>-Kamal Bisht</P> Thu, 16 May 2013 06:09:24 GMT https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34820#M7577 kml_uvce 2013-05-16T06:09:24Z https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34821#M7578 <P>You are correct, because they are not arguments. See documentation on <CODE>map</CODE> and <CODE>localize</CODE>.</P> Thu, 16 May 2013 12:22:51 GMT https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34821#M7578 phemmer 2013-05-16T12:22:51Z https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34822#M7579 <P>When I had to pass a field through to the map command like this (<EM>note:</EM> as part of saved search!), I had to double the dollar signs: </P> <P><CODE><BR /> | inputlookup monitored_indexes.csv| fields index | dedup index | map maxsearches=99 search=" | <CODE>db_inspect_collection($$index$$)</CODE>"<BR /> </CODE></P> <P>Maybe doubling the dollar signs can help you?</P> Mon, 28 Sep 2020 13:55:05 GMT https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34822#M7579 sowings 2020-09-28T13:55:05Z https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34823#M7580 <P>No joy, still gives the same error :-(. Thanks though.</P> Thu, 16 May 2013 14:00:16 GMT https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34823#M7580 phemmer 2013-05-16T14:00:16Z https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34824#M7581 <P>Unrelated, but that worked for me when adding a map command (with substitutions) to a dashboard. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 25 Jun 2018 20:04:40 GMT https://community.splunk.com/t5/Splunk-Search/Using-starttime-and-endtime-in-a-macro-with-map/m-p/34824#M7581 reed_kelly 2018-06-25T20:04:40Z