Re: How to run a parameterized map command as a sa...

bojanjanisch · ‎02-28-2019

Hi everyone,

I have the following dummy search saved as a report:

Executing this search directly runs without issues. However when calling it using the savedsearch-command:

| savedsearch TestReport

I get the following error message:

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'TestReport': Error while replacing variable name='test'. Could not find variable in the argument map.

I'm running Splunk 7.1.1 on a standalone machine. Does someone has a clue why it can be executed manually but not as a report and how I could execute it as a report?

Kind regards,
Bojan

ammara · ‎01-14-2020

Just had the very same problem and spent far too long trying to solve it. If you write test like this: $test$ then splunk interprets this as expecting an input variable of test. To resolve this it looks like you have to use double dollar signs:
| makeresults count=1 | eval test="Hello" | map search="| makeresults count=1 | eval test=$$test$$"

How to run a parameterized map command as a savedsearch report?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

How to run a parameterized map command as a savedsearch report?

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...