When trying to execute a savedsearch from the CLI, I receive the following error in splunkd.log:
ERROR SearchOperator:savedsplunk - Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'SS_LIS18_Provisioning_Call_Coverage_Extract': Error while replacing variable name='carrierid'. Could not find variable in the argument map.
The truly puzzling thing about this is that the savedsearch executed quite nicely the previous day. The savedsearch executes from the search bar in the GUI when called by the |savedsearch
command. Oh, and there is no variable named 'carrierid'. There is a 'CarrierID', and it's value is supplied, but no variable 'carrierid' in all lower case. And we all know that Splunk is definitely case-sensitive, right?
1 case this happens is when starting the saved search from a dashboard using a token.
The error occurs with syntax like this
|savedsearch testsavedsearch |where Department=$Department$
IF the error occurs depends on the contents of your saved search.
If you get the error you can try this syntax.
|savedsearch testsavedsearch Department=$Department$
In your saved search you can also use (though not always necessary)
Department=$Department$
so for example:
index=main sourcetype=test Department=$Department$ |stats count(user) by Department