Hello fellows, We also had a very similar issue like described by @harry2007gsp, if we put the dbxquery into a saved search, we get the following error. Even though the same search worked perfectly when we run it directly. Splunk version 7.2.7 says "Unrecognized option". After a long job inspection we figured out, Splunk automatically adds by calling saved searches "| search" at the beginning of the line! resulting in "| search | dbxconnect [..." And because the dbxquery has to be the first line operator, everything crashes. Original state: The call: | savedsearch "DBXQUERY" The saved search: | dbxquery [| makeresults \`getSplunkAppName\` | eval query="SELECT COUNT(*) FROM TABLE WHERE SPLUNK_APP = '".SplunkApp."'" | return query] connection="SomeDB" The Macro (just gives the name of hte current splunk application): | eval [rest /services/search/jobs splunk_server=local | addinfo | where sid = info_sid | rename eai:acl.app as SplunkApp | return SplunkApp] And after removing the leading pipeline in the saved search, splunk stopped to add "| search". Also the new working saved search has bekome: dbxquery [| makeresults \`getSplunkAppName\` | eval query="SELECT COUNT(*) FROM TABLE WHERE SPLUNK_APP = '".SplunkApp."'" | return query] connection="SomeDB" ... View more

It may have been "strftime(_time,"%U")" as yannK said. But in the current Splunk version is the week number defined by "%V" So, the code snippet should be: | eval dateyearweek=strftime(_time,"%Y-%V")| stats count by dateyearweek See Docs for more info. Best Regards! ... View more