All Apps and Add-ons

Why 2 dollar ($) signs in the savedsearch "DB inspection" ?

yoho
Contributor

I think everything is in the title 🙂 Extract from savedsearches.conf:

[DB inspection]
(...)
search = | inputlookup monitored_indexes.csv| fields index | dedup index | map maxsearches=99 search=" | `db_inspect_collection($$index$$)`"

I got an error with my splunk install base and traced it down to usage of "$$" in fire_brigade (something like "$unix_summary$ not found").

Why using "$$" ?

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi yoho,

Anything wrapped in two single dollar signs will be substituted from data in the upstream modules, so your $$index$$ will be replaced by the value of index=foo from your view/dashboard/report and will be used in this macro db_inspect_collection() like this db_inspect_collection(foo)

cheers, MuS

View solution in original post

0 Karma

sowings
Splunk Employee
Splunk Employee

I had to use double-dollar because the saved search mechanism apparently performed one level of substitution before the map command was called, meaning that when run on a schedule, I didn't get any results from the saved search. If you want to try to run this search by hand, you'll have to manually "singleify" the quotes to get it to behave.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi yoho,

Anything wrapped in two single dollar signs will be substituted from data in the upstream modules, so your $$index$$ will be replaced by the value of index=foo from your view/dashboard/report and will be used in this macro db_inspect_collection() like this db_inspect_collection(foo)

cheers, MuS

View solution in original post

0 Karma

yoho
Contributor

Ok thanks. I still don't get why I get this error message. I'll investigate a bit further.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!