Reporting

Why is the substitution string is not working when using the map command to execute a saved search?

wfrankl2
Explorer

From the documentation
"When using a saved search or a literal search, the map command supports the substitution of $variable$ strings that match field names in the input results"
So this is a basic example of what I'm trying to do. The actual work is that I am running a search on some data and with each value returned, if any, would need to execute a different saved search. So I need to be able to assign the correct saved search name that's used based on a value in the result. then call the saved search to run. So I can't hard code the saved search in the map command because it's different for every event.

index="testdata" | eval alert="My Test Alert"
   | map $alert$
0 Karma
1 Solution

elliotproebstel
Champion

You'll need to combine the map command with the savedsearch command to reference the saved search in the mapped subsearch. Here's a little demo.

First, create a saved search called test_generate. The code in this saved search:

| makeresults 
| eval testfield="test_generate ran"

Then, test loading it in a new search:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

This will result in Splunk running your saved search and returning a stats table with the current time and testfield="test_generate ran". This can serve as a template for what you're trying to do.

View solution in original post

0 Karma

elliotproebstel
Champion

You'll need to combine the map command with the savedsearch command to reference the saved search in the mapped subsearch. Here's a little demo.

First, create a saved search called test_generate. The code in this saved search:

| makeresults 
| eval testfield="test_generate ran"

Then, test loading it in a new search:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

This will result in Splunk running your saved search and returning a stats table with the current time and testfield="test_generate ran". This can serve as a template for what you're trying to do.

0 Karma

wfrankl2
Explorer

hmmm ok so a little confused you are still using the actual saved search name in the map. My example I provided was not very well expressed my apologies. Let me go about it like this.
index=testindex |stats count by fielda|eval search_name=if(fielda=="John","John Alert","EveryoneElse Alert")
|map $search_name$

So if I get 2 rows back
fielda=john saved_search="John Alert"
fieldb=joan saved_search="EveroneElse Alert"

Then I get John Alert executed for the first row.
Then EveryoneElse Alert for the second row.

0 Karma

elliotproebstel
Champion

Ok, I got it! Here's the revised syntax:

| makeresults 
| eval search_name="test_generate"
| map search="| savedsearch $search_name$"

Give this a try. If it works, I'll update the original answer so you can accept it.

0 Karma

wfrankl2
Explorer

hey that worked!!! Thank you that's perfect!

0 Karma

elliotproebstel
Champion

Great! I fixed the original answer, so you can accept it. Glad we got it working!

0 Karma

elliotproebstel
Champion

Ah, you're right. I didn't carry the variable through, and when I test that now, it doesn't work. I'll keep trying. Sorry about that!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...