Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is the substitution string is not working when using the map command to execute a saved search?

wfrankl2
Explorer
‎04-05-2018 06:43 AM

From the documentation
"When using a saved search or a literal search, the map command supports the substitution of $variable$ strings that match field names in the input results"
So this is a basic example of what I'm trying to do. The actual work is that I am running a search on some data and with each value returned, if any, would need to execute a different saved search. So I need to be able to assign the correct saved search name that's used based on a value in the result. then call the saved search to run. So I can't hard code the saved search in the map command because it's different for every event.

index="testdata" | eval alert="My Test Alert"
   | map $alert$
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-05-2018 08:59 AM

You'll need to combine the map command with the savedsearch command to reference the saved search in the mapped subsearch. Here's a little demo.

First, create a saved search called test_generate. The code in this saved search:

| makeresults 
| eval testfield="test_generate ran"

Then, test loading it in a new search:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

This will result in Splunk running your saved search and returning a stats table with the current time and testfield="test_generate ran". This can serve as a template for what you're trying to do.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-05-2018 08:59 AM

You'll need to combine the map command with the savedsearch command to reference the saved search in the mapped subsearch. Here's a little demo.

First, create a saved search called test_generate. The code in this saved search:

| makeresults 
| eval testfield="test_generate ran"

Then, test loading it in a new search:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

This will result in Splunk running your saved search and returning a stats table with the current time and testfield="test_generate ran". This can serve as a template for what you're trying to do.

0 Karma
Reply
Solved! Jump to solution

wfrankl2
Explorer
‎04-05-2018 09:48 AM

hmmm ok so a little confused you are still using the actual saved search name in the map. My example I provided was not very well expressed my apologies. Let me go about it like this.
index=testindex |stats count by fielda|eval search_name=if(fielda=="John","John Alert","EveryoneElse Alert")
|map $search_name$

So if I get 2 rows back
fielda=john saved_search="John Alert"
fieldb=joan saved_search="EveroneElse Alert"

Then I get John Alert executed for the first row.
Then EveryoneElse Alert for the second row.

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎04-06-2018 05:55 AM

Ok, I got it! Here's the revised syntax:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

Give this a try. If it works, I'll update the original answer so you can accept it.

0 Karma
Reply
Solved! Jump to solution

wfrankl2
Explorer
‎04-06-2018 07:21 AM

hey that worked!!! Thank you that's perfect!

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎04-06-2018 07:35 AM

Great! I fixed the original answer, so you can accept it. Glad we got it working!

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎04-05-2018 10:21 AM

Ah, you're right. I didn't carry the variable through, and when I test that now, it doesn't work. I'll keep trying. Sorry about that!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...