Are macros what you are looking for?
[my_macro(2)] args = arg1, arg2 definition = search index=$arg2$ sourcetype=$arg$ ...
Since you can call macros in macros this may look as if $abc$ was used as some kind of fieldname.
If you want to add any input on your dashboard(drop-down menu, check-box,multi select,etc...) , there is a section called "token".
Let's you insert there as abc into token section means you can use this variable as $abc$ in your splunk serach query. Once this inout selected by user(example dropdown menu), your search directly take this variable fr searching.
There is also detail information from the link below.
I know the usage for form inputs in dashboards. But I think it can be used in a saved search as well, here is an example with a field called clicks/user
These two options do not work
| fieldformat clicks/user=tostring(clicks/user, "commas")
| fieldformat clicks/user=tostring("clicks/user", "commas")
But when I use
| fieldformat clicks/user=tostring($clicks/user*$*, "commas")
it works fine
@HeinzWaescher, in this scenario, it operates as the
' single quotes needed to escape punctuation characters or non [a-z] stuff inside of a field name. So, the normal version of your search would be:
| fieldformat clicks/user=tostring('clicks/user', "commas")
Within an eval statement, double quotes
" are always used to specify string literals whereas the single quote
' is used to help specify fields. I would suggest keeping your field names free of punctuation and strange characters, e.g.
| eval clicks_per_user = clicks / user | fieldformat clicks_per_user = tostring(clicks_per_user, "commas")