Solved: Re: Why 2 dollar ($) signs in the savedsearch "DB ...

yoho · ‎04-01-2014

I think everything is in the title 🙂 Extract from savedsearches.conf:

[DB inspection]
(...)
search = | inputlookup monitored_indexes.csv| fields index | dedup index | map maxsearches=99 search=" | `db_inspect_collection($$index$$)`"

I got an error with my splunk install base and traced it down to usage of "$$" in fire_brigade (something like "$unix_summary$ not found").

Why using "$$" ?

MuS · ‎04-01-2014

Hi yoho,

Anything wrapped in two single dollar signs will be substituted from data in the upstream modules, so your $$index$$ will be replaced by the value of index=foo from your view/dashboard/report and will be used in this macro db_inspect_collection() like this db_inspect_collection(foo)

cheers, MuS

View solution in original post

sowings · ‎09-16-2014

I had to use double-dollar because the saved search mechanism apparently performed one level of substitution before the map command was called, meaning that when run on a schedule, I didn't get any results from the saved search. If you want to try to run this search by hand, you'll have to manually "singleify" the quotes to get it to behave.

MuS · ‎04-01-2014

Hi yoho,

Anything wrapped in two single dollar signs will be substituted from data in the upstream modules, so your $$index$$ will be replaced by the value of index=foo from your view/dashboard/report and will be used in this macro db_inspect_collection() like this db_inspect_collection(foo)

cheers, MuS

yoho · ‎04-09-2014

Ok thanks. I still don't get why I get this error message. I'll investigate a bit further.

Why 2 dollar ($) signs in the savedsearch "DB inspection" ?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor