I'm trying to make a search involving the map command work from inside a SplunkJS/HTML Dashboard, ie launched by a SearchManager. Say this were my search in a regular search bar:
index=_internal error | localize | map search="search index=_internal earliest=$starttime$ latest=$endtime$"
$starttime$ and $endtime$ will be replaced by map based on the previous pipeline, that's working well.
Transferring this to AdvancedXML you'd need to double up the $ signs to escape them to get this:
index=_internal error | localize | map search="search index=_internal earliest=$$starttime$$ latest=$$endtime$$"
That works well too.
However, when I'm trying to run the search from a SearchManager, I can't get this to work. Running the second escaped query gives me no results and this warning:
Unable to run query 'search index=_internal earliest=$1390463531$ latest=$1390463736$'.
This suggests that my escaped $$starttime$$ was replaced while retaining the escaping $ signs. Removing the escaping $ signs gives me this warning:
Search query is not fully resolved.
In both cases I've set tokens to false to not substitute tokens from an input field or wherever. Here's the SearchManager for completeness' sake:
var search1 = new SearchManager({ "id": "search1", "status_buckets": 0, "search": 'index=_internal error | localize | map search="search index=_internal earliest=$$starttime$$ latest=$$endtime$$"', "earliest_time": "-15m@m", "cancelOnUnload": true, "latest_time": "now", "app": utils.getCurrentApp(), "auto_cancel": 90, "preview": true }, {tokens: false});
As expected, using mvc.tokenEscape(1) doesn't affect this, because token isn't set to true.
How do I get this to work?
