Reporting

Why is the substitution string is not working when using the map command to execute a saved search?

New Member

From the documentation
"When using a saved search or a literal search, the map command supports the substitution of $variable$ strings that match field names in the input results"
So this is a basic example of what I'm trying to do. The actual work is that I am running a search on some data and with each value returned, if any, would need to execute a different saved search. So I need to be able to assign the correct saved search name that's used based on a value in the result. then call the saved search to run. So I can't hard code the saved search in the map command because it's different for every event.

index="testdata" | eval alert="My Test Alert"
   | map $alert$
0 Karma
1 Solution

You'll need to combine the map command with the savedsearch command to reference the saved search in the mapped subsearch. Here's a little demo.

First, create a saved search called test_generate. The code in this saved search:

| makeresults 
| eval testfield="test_generate ran"

Then, test loading it in a new search:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

This will result in Splunk running your saved search and returning a stats table with the current time and testfield="test_generate ran". This can serve as a template for what you're trying to do.

View solution in original post

0 Karma

You'll need to combine the map command with the savedsearch command to reference the saved search in the mapped subsearch. Here's a little demo.

First, create a saved search called test_generate. The code in this saved search:

| makeresults 
| eval testfield="test_generate ran"

Then, test loading it in a new search:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

This will result in Splunk running your saved search and returning a stats table with the current time and testfield="test_generate ran". This can serve as a template for what you're trying to do.

View solution in original post

0 Karma

New Member

hmmm ok so a little confused you are still using the actual saved search name in the map. My example I provided was not very well expressed my apologies. Let me go about it like this.
index=testindex |stats count by fielda|eval searchname=if(fielda=="John","John Alert","EveryoneElse Alert")
|map $search
name$

So if I get 2 rows back
fielda=john savedsearch="John Alert"
fieldb=joan saved
search="EveroneElse Alert"

Then I get John Alert executed for the first row.
Then EveryoneElse Alert for the second row.

0 Karma

Ok, I got it! Here's the revised syntax:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

Give this a try. If it works, I'll update the original answer so you can accept it.

0 Karma

New Member

hey that worked!!! Thank you that's perfect!

0 Karma

Great! I fixed the original answer, so you can accept it. Glad we got it working!

0 Karma

Ah, you're right. I didn't carry the variable through, and when I test that now, it doesn't work. I'll keep trying. Sorry about that!

0 Karma