I think everything is in the title 🙂 Extract from savedsearches.conf:
[DB inspection]
(...)
search = | inputlookup monitored_indexes.csv| fields index | dedup index | map maxsearches=99 search=" | `db_inspect_collection($$index$$)`"
I got an error with my splunk install base and traced it down to usage of "$$" in fire_brigade (something like "$unix_summary$ not found").
Why using "$$" ?
Hi yoho,
Anything wrapped in two single dollar signs will be substituted from data in the upstream modules, so your $$index$$
will be replaced by the value of index=foo
from your view/dashboard/report and will be used in this macro db_inspect_collection()
like this db_inspect_collection(foo)
cheers, MuS
I had to use double-dollar because the saved search mechanism apparently performed one level of substitution before the map command was called, meaning that when run on a schedule, I didn't get any results from the saved search. If you want to try to run this search by hand, you'll have to manually "singleify" the quotes to get it to behave.
Hi yoho,
Anything wrapped in two single dollar signs will be substituted from data in the upstream modules, so your $$index$$
will be replaced by the value of index=foo
from your view/dashboard/report and will be used in this macro db_inspect_collection()
like this db_inspect_collection(foo)
cheers, MuS
Ok thanks. I still don't get why I get this error message. I'll investigate a bit further.