A big thanks to my Splunk partner in crime C.F. We were able to solve this issue by calling a macro. The quotes are removed from the lookup returned value when inserted into a macro.
We can successfully add searches to a lookup table and loop thru each search with the map command. Here is how we did it.
First: Create your lookup table with a list of searches to execute. In our case we used lookup editor and named the field "check". Create your csv file however you want.
check, Description
index=_internal sourcetype=splunkd component=WatchedFile | stats earliest(_time) as firstime latest(_time) as lasttime count by component log_level, Internal WatchFile Check
index=_internal sourcetype=splunkd component=TcpOutputProc | stats earliest(_time) as firstime latest(_time) as lasttime count by component log_level, Internal TcpOutPutProc Check
Second: Create a macro. Give the macro a name with a value of 1. The search will just be a name surrounded by $'s and a single argument. The search defined in the lookup table will be passed to this macro.
Third: Create the search that calls the lookup table and passes the results to the macro with the map command.
The lookup table is called. Only the check field is outputted because there no reason to also pass the description field. The description field is for the admins to remember what the search is looking for.
The map command is called, which includes the macro and the output from the lookup table is inserted into the required variable. Don't forget about the backticks when calling a macro.
|inputlookup internalchecks.csv | fields + check | map search="search `internalcheck($check$)`" maxsearches=100
The Results. The job inspector shows how each search was expanded by the macro.
All my users have to do now for is add searches to the lookup table with out modifying the search. The idea behind this search is to perform validation checks against data in Splunk. Does X field have Y value? Or does X field have the correct length and numeric output? Sometimes a search with large amounts of appends, ANDs, ORs, NOTs can be cumbersome to maintain.
Would you rather maintain a lookup table with a small search or the search below? By looping thru the lookup table, we avoid appending and sub-searches.
index=_internal sourcetype=splunkd component=WatchedFile | stats earliest(_time) as firstime latest(_time) as lasttime count by component log_level | append [search index=_internal sourcetype=splunkd component=TcpOutputProc | stats earliest(_time) as firstime latest(_time) as lasttime count by component log_level]
... View more