When testing..... I hard coded 'index=_audit" and the results rendered. (see below) | makeresults | eval User = "1234", index = "index=_audit" | table User, index `comment(" -------------------- GET LIST OF JOBS THAT RAN FOR THIS USER -------------------- ")` | map search="search index=_audit user="$User$" savedsearch_name=* | where len(savedsearch_name) > 1 | eval User = "$User$", LogSource = "$index$" | table LogSource, User, savedsearch_name, _time, user " LogSource outputs: index=_audit but User does NOT output 1234 Can't think of why! Then I replace the hardcoded index with the variable and it returns 0 results. | makeresults | eval User = "1234", index = "index=_audit" | table User, index `comment(" -------------------- GET LIST OF JOBS THAT RAN FOR THIS USER -------------------- ")` | map search="search $index$ user="$User$" savedsearch_name=* | where len(savedsearch_name) > 1 | eval User = "$User$", LogSource = "$index$" | table LogSource, User, savedsearch_name, _time, user " Is there something wrong with my syntax? If I get it working I plan on substituting the | makeresults with a lookup to get multiple items.
... View more