topic Re: Map command breaks when scheduled in Alerting

Map command breaks when scheduled

Joshua — Fri, 15 Jul 2011 09:16:33 GMT

I am running a custom python search command for custom alerting from Splunk which takes variables from the search query and using the map command to feed the set variables into the script.

I'll use the sendemail command as an example;

host="myserver" "OutOfMemory" | map search="| sendemail to="test@test.com" subject=$host$ server="mailhost""

This works perfectly when run directly via the GUI search, however if I turn this into a ScheduledSearch using the same query it doesn't work. Splunk logs will indicate that it ran succesfully and didnt encounter any exceptions however my email does not get sent.

By turning the sendemail function to echo the output into a text file I can see that nothing happens either. What gets interesting is that if I replace $host$ with "myservername" and dont use any $variables$ it works!

I have tried escaping the strings passed to the python script directly within the script when extracting the variables though it has no affect.

subject=\"\'$host$\'\"

By double quoting the above it still works via the GUI, though when scheduled my email sends but with subject as inner quotes - \'\'

Indicating that the variable is either not being transformed or is replaced with nothing.

I have tried placing the entire search query again within the sub map search with no affect either...

Any suggestions would be great, otherwise I'll have to raise a support case.

Note: This is on a windows server.

Re: Map command breaks when scheduled

Joshua — Mon, 18 Jul 2011 13:44:45 GMT

Workaround developed until a resolution for this method is found.

Re: Map command breaks when scheduled

carasso — Mon, 26 Sep 2011 22:30:29 GMT

Your quoting is wrong for the map command. Try using the subsearch syntax.
e.g.

| map [ sendemail to="test@test.com" subject=$host$ server="mailhost"]

See:

http://splunk-base.splunk.com/answers/27012/whats-wrong-with-this-map-search-command

Re: Map command breaks when scheduled

s_n — Wed, 15 Feb 2012 11:14:02 GMT

Old topic but someone may find it via google looking for a solution.
For me saved search with map command, to which $variable$ is passed worked in the following way...

savedsearch_1:

foo | map savedsearch_2 var1=$var1$ var2=$var2$

savedsearch_2:

search bar | where var1=$var1$ var2=$var2$ | head 1

Trying different syntax like:

    foo | map search="search bar | where var1=\"$var1\" var2=\"var2\" | head 1"

worked well in interactive search but on saved and scheduled the variables weren't passed to the map command so the search always was returning no results.

Re: Map command breaks when scheduled

tysonstewart — Tue, 10 Apr 2012 22:15:20 GMT

Just wanted to highlight the fact that the key here is saving a search for the map command to use. Variable names inside a string disappear when run by the scheduler.

Re: Map command breaks when scheduled

traugust — Mon, 08 Oct 2012 09:31:56 GMT

Thanks a lot for sharing this approach! It helped me out and I can confirm that it worked for me as solution for the above problem.