I am having trouble constructing a search command in an Eval statement. I stripped it down to its most basic form to troubleshoot, but I still can't get that to work.
| makeresults
| eval test = "search earliest=1576263600 latest=1576512000 index=security sourcetype=host_info | head 10"
| map search="$test$"
I also tried this which was recommended in a different splunk answers post, but that still didn't work for me on Splunk version 7.1.6.
| makeresults
| eval test = "earliest=1576263600 latest=1576512000 index=security sourcetype=host_info | head 10"
| map search="search [| makeresults | eval evaltest=$test$ | return $evaltest]"
try giving double $ sign . passed variables should be in $$ sign.
| map search="search [| makeresults | eval evaltest="$$test$$" | return $evaltest]"