Hi,

I have a search that produces an error when directly ran in the interface, but it's meant to be called with | savedsearch so the error is okay with me. Since it produces an error though, the interface will not let me save it. How do I save this search so that I can call it?

Search:

| makeresults | multireport 
[| savedsearch "$exchange_toggle$" earliest_epoch="$earliest_epoch$" latest_epoch="$latest_epoch$" network_id="$network_id$"]
[| savedsearch "$badge_toggle$" earliest_epoch="$earliest_epoch$" latest_epoch="$latest_epoch$" network_id="$network_id$"]
[| savedsearch "$vpn_toggle$" earliest_epoch="$earliest_epoch$" latest_epoch="$latest_epoch$" network_id="$network_id$"]
| sendemail to="$send_to$" server=smtp.mycompany.com subject="Here is your requested Splunk report." message="Results:" sendresults=true inline=true sendcsv=true

Called from this in a dashboard:

... | savedsearch user_activity_master earliest_epoch="$earliest_epoch$" latest_epoch="$latest_epoch$" network_id="$network_id$" send_to="$send_to$" exchange_toggle="$mytoken1$" vpn_toggle="$mytoken2$" badge_toggle="$mytoken3$"