| inputlookup searches| map maxsearches=10 search="search [ stats count

1. | inputlookup searches
2. | map maxsearches=10 search="search
3. [ stats count
4. | eval search=\"$search_string$\"
5. | table search ]
6. | eventstats first(sapnumber) as sapnumber by source
7. | eval _raw=\"***SPLUNK*** index=\\\"$destination_index$\\\" host=\\\"\" + host + \"\\\" source=\\\"\" +
8. source + \"\\\" sourcetype=\\\"\" + sourcetype + \"\\\"
9. \" + sapnumber + \"|\" + _raw
10. | collect file=\"../../../etc/apps/appname/data/stash/$destination_index$\" spool=f
11. | stats count
12. | eval message=count+\" events written to the $destination_index$ index.\"
13. | table message"