Solved: Re: Why is the substitution string is not working ...

wfrankl2 · ‎04-05-2018

From the documentation
"When using a saved search or a literal search, the map command supports the substitution of $variable$ strings that match field names in the input results"
So this is a basic example of what I'm trying to do. The actual work is that I am running a search on some data and with each value returned, if any, would need to execute a different saved search. So I need to be able to assign the correct saved search name that's used based on a value in the result. then call the saved search to run. So I can't hard code the saved search in the map command because it's different for every event.

index="testdata" | eval alert="My Test Alert"
   | map $alert$

elliotproebstel · ‎04-05-2018

You'll need to combine the map command with the savedsearch command to reference the saved search in the mapped subsearch. Here's a little demo.

First, create a saved search called test_generate. The code in this saved search:

| makeresults 
| eval testfield="test_generate ran"

Then, test loading it in a new search:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

This will result in Splunk running your saved search and returning a stats table with the current time and testfield="test_generate ran". This can serve as a template for what you're trying to do.

View solution in original post

elliotproebstel · ‎04-05-2018

You'll need to combine the map command with the savedsearch command to reference the saved search in the mapped subsearch. Here's a little demo.

First, create a saved search called test_generate. The code in this saved search:

| makeresults 
| eval testfield="test_generate ran"

Then, test loading it in a new search:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

This will result in Splunk running your saved search and returning a stats table with the current time and testfield="test_generate ran". This can serve as a template for what you're trying to do.

wfrankl2 · ‎04-05-2018

hmmm ok so a little confused you are still using the actual saved search name in the map. My example I provided was not very well expressed my apologies. Let me go about it like this.
index=testindex |stats count by fielda|eval search_name=if(fielda=="John","John Alert","EveryoneElse Alert")
|map $search_name$

So if I get 2 rows back
fielda=john saved_search="John Alert"
fieldb=joan saved_search="EveroneElse Alert"

Then I get John Alert executed for the first row.
Then EveryoneElse Alert for the second row.

elliotproebstel · ‎04-06-2018

Ok, I got it! Here's the revised syntax:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

Give this a try. If it works, I'll update the original answer so you can accept it.

wfrankl2 · ‎04-06-2018

hey that worked!!! Thank you that's perfect!

elliotproebstel · ‎04-06-2018

Great! I fixed the original answer, so you can accept it. Glad we got it working!

elliotproebstel · ‎04-05-2018

Ah, you're right. I didn't carry the variable through, and when I test that now, it doesn't work. I'll keep trying. Sorry about that!

Why is the substitution string is not working when using the map command to execute a saved search?

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...