Re: How to run a parameterized map command as a sa...

bojanjanisch · ‎02-28-2019

Hi everyone,

I have the following dummy search saved as a report:

Executing this search directly runs without issues. However when calling it using the savedsearch-command:

| savedsearch TestReport

I get the following error message:

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'TestReport': Error while replacing variable name='test'. Could not find variable in the argument map.

I'm running Splunk 7.1.1 on a standalone machine. Does someone has a clue why it can be executed manually but not as a report and how I could execute it as a report?

Kind regards,
Bojan

ammara · ‎01-14-2020

Just had the very same problem and spent far too long trying to solve it. If you write test like this: $test$ then splunk interprets this as expecting an input variable of test. To resolve this it looks like you have to use double dollar signs:
| makeresults count=1 | eval test="Hello" | map search="| makeresults count=1 | eval test=$$test$$"

How to run a parameterized map command as a savedsearch report?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

How to run a parameterized map command as a savedsearch report?

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...