Sometimes errors are just a little too confusing for me on a Monday.
I was trying to run the following search:
| makeresults 1
| eval cheese_id="12345", index="cheese"
| map search="index=$index$ cheese_id=$cheese_id$ sourcetype=cheese_info"
| table cheese_id, name, description
And couldn’t work out why it was throwing the following error:
warn : Unable to run query
index=cheese cheese_id=12345 sourcetype=cheese_info | table cheese_id, name, description.
Turns out that if I’d squinted a little harder at the example in the documentation, I’d have realised that I need to prepend searches with search. The UI does this automatically, but API things don’t.
So the command became:
| map search="search index=$index$ cheese_id=$cheese_id$ sourcetype=cheese_info"
| table cheese_id, name, description