This appears to work in 6.2.1 (maybe earlier?) without the saved search workaround.

The same issue is occurring with Splunk 6 SimpleXML dashboards. Consider this very simple example:

<dashboard>
  <row>
    <table>
      <searchString>index=_internal error | localize | map search="search index=_internal earliest=$starttime$ latest=$endtime$"</searchString>
    </table>
  </row>
</dashboard>

That yields "Search query is not fully resolved" as expected. Doubling up the dollar signs yields the same error message, and quadrupling the dollar signs gives me "Unable to run query 'search index=_internal earliest=$1394717566$ latest=$1394717753$'."

Those quotes are required by the map command, running a working search in the regular searches view breaks if you remove the quotes. Without quotes everything after the first word is ignored, running the empty query "search" which must yield nothing.

Regardless I have tried your code snippet in the dashboard, and it doesn't produce any results while a working search in the searches view for the same timerange does.

Behind the scenes $$starttime$$ is still replaced with $1391068887$, but that isn't throwing an error because it's not part of the search string anymore.

Hi Martin

Can you try this:

var search1 = new SearchManager({
"id": "search1",
"search": "index=_internal error | localize | map search=search index=_internal earliest=$$starttime$$ latest=$$endtime$$",
"status_buckets": 0,
"latest_time": "now",
"earliest_time": "-15m@m",
"cancelOnUnload": true,
"auto_cancel": 90,
"preview": true
}, {tokens: false});

I believe the quotes around the inner search for the map command is causing the problem and does not seem to be required.

-Mark

Using $$token$$ and tokens:true or mvc.tokenSafe(1) also gives me "Search query is not fully resolved.", so SplunkJS is trying to substitute something where I don't want it to.

Correct, I'm trying to get $token$ to appear literally in my search string. I have tried those two approaches already, as described in my question.

Using $token$ with tokens:false gives me an unresolved query error.

Using $$token$$ gives me a literal $$token$$, which then gets replaced with $12345$ if $token$'s value is 12345.
However, in this double-dollar case I think I may have had tokens still set to false... I'll set it to true tomorrow and give it another shot to see if it makes a difference.

I am not familiar with the map command. Based on the doc it looks like you actually need to pass it literal dollar signs for it to do its own substitution. Therefore if you pass "$token$" with {tokens: false} it should get to the map command correctly. Or if you use "$ $token$ $" (no spaces) with {tokens: true} it should also work. I have not tested either of these.

Do you have another idea to solve this?

Yes, see http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/map for reference.

get values from the pipeline before the map command into the search run by the map command

This appears to be an entirely different question. So you want to run a search, extract an earliest_time from it somehow, and run a "map" search command that takes the first search as input but uses the earliest_time that was extracted?

...ran out of space...

The key here is to get values from the pipeline before the map command into the search run by the map command, not to get tokens from somewhere in the SplunkJS dashboard into the search.

Thanks for taking a stab at this.
I've taken your SearchManager definition and ran it locally - while it does produce results, I fear they're incorrect.

Running the search from the SearchManager in the search app manually, I get events from the past ten-ish minutes, because _internal has no "error" events before that. However, running it from the SplunkJS dashboard gives me many more events including ones from up to 15 minutes ago.
My guess is that the "-15m@m" you set after creating the SearchManager are written into the map command rather than using the values from the localize.