Splunk Search

How to run a parameterized map command as a savedsearch report?

bojanjanisch
New Member

Hi everyone,

I have the following dummy search saved as a report:

| makeresults count=1 | eval test="Hello" | map search="| makeresults count=1 | eval test=\"$test$\""

Executing this search directly runs without issues. However when calling it using the savedsearch-command:

| savedsearch TestReport

I get the following error message:

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'TestReport': Error while replacing variable name='test'. Could not find variable in the argument map.

I'm running Splunk 7.1.1 on a standalone machine. Does someone has a clue why it can be executed manually but not as a report and how I could execute it as a report?

Kind regards,
Bojan

0 Karma

ammara
Explorer

Just had the very same problem and spent far too long trying to solve it. If you write test like this: $test$ then splunk interprets this as expecting an input variable of test. To resolve this it looks like you have to use double dollar signs:
| makeresults count=1 | eval test="Hello" | map search="| makeresults count=1 | eval test=$$test$$"

Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...