I'm using Splunk 3.4.10 with the free license on a CentOS machine. I've created a saved form search called "Trace Mail" that I hope to use to trace a single message through my mail servers as it gets new queue IDs. Now, this form search worked until yesterday, now when I try to run it a Splunk error is logged that says "Error while replacing variable name="foo". Could not find variable in the argument map."
The current syntax for my saved search is: ID = ": $first$:" OR ID = ": $second$:" where ID is an extracted field.
When I used ID = ": $first$:" The search completes properly, returning all expected results. Has anyone else experienced this?
You're better off asking about this on the Splunk forums. There aren't that many people around that use splunk, so you want to concentrate on the right community.
At the very least you're going to need to tell them what mail server you're using and the transforms, props and full saved search on the splunk server. Some logsnippets would be handy too.
It turns out, after some more digging and testing, that the form search doesn't handle empty fields well. I couldn't figure out any way around this problem besides putting something in the previously empty fields.