topic Re: How do you prevent the map command from encapsulating the variable in quotes? in Splunk Search

How do you prevent the map command from encapsulating the variable in quotes?

quasikaze — Mon, 28 Jan 2019 17:09:41 GMT

The quotes can only be seen in the search.log in one of the SearchParser component events.

My ultimate goal is to be able to pass a single field with an arbitrary number of values through map to the same variable in multiple sections of the subsearch, one of which is specifically in the by section of a tstats. The examples below are proofs-of-concept to illustrate the problem. I've tried other approaches including tokens, not that there's a token to remove quotes, but have obviously been unsuccessful in my various attempts.

Ex #1: Value End Up Quoted & Does Not Work

<pre>| makeresults
| eval test = "sourcetype,host"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"</pre>

Ex #2: Does Not Quote Value & Works

<pre>| makeresult
| eval test = "sourcetype"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"</pre>

Here's an alternative approach I tested, but it only seems to execute whatever is in the first record of the nested subsearch, which in this case is "sourcetype,host".

Ex #3: "by" Subsearch

<pre>| makeresults 
| fields sourcetype, host, lastTime 
| map 
    [| tstats latest(_time) AS lastTime WHERE index=_internal by 
        [| makeresults count=2 
        | streamstats count AS counter 
        | eval search = if(counter=1, "sourcetype,host", "sourcetype") 
        | fields - _time, counter ] 
        ]</pre>

Any thoughts?

Note: I did see the post "Why is there a problem when passing a command through a variable in map-command?", but it doesn't really help in this situation seeing as it doesn't solve how to do it in the by section. At least, if it does, I missed it.

Re: How do you prevent the map command from encapsulating the variable in quotes?

Vijeta — Mon, 28 Jan 2019 17:24:55 GMT

Did you try using
\"$test$\" instead of $test$ in your second example?

Re: How do you prevent the map command from encapsulating the variable in quotes?

quasikaze — Mon, 28 Jan 2019 18:58:50 GMT

Yeah. No luck there. Thanks though!

Re: How do you prevent the map command from encapsulating the variable in quotes?

woodcock — Mon, 28 Jan 2019 22:50:41 GMT

This is a difficult problem that took me forever to figure out but once I show you the trick, you are going to kick yourself. You cannot stop map from doing this, but you can work around it; you need to use both a subsearch and a map like this:

| makeresults
| eval test = "sourcetype,host"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by [|makeresults | eval test=$test$ | return $test]"

BOOM! (That is the sound of the microphone that I dropped hitting my foot).

Re: How do you prevent the map command from encapsulating the variable in quotes?

woodcock — Mon, 28 Jan 2019 22:58:34 GMT

You took my suggestion to just add a subsearch but missed it by >that< much!

Re: How do you prevent the map command from encapsulating the variable in quotes?

quasikaze — Tue, 29 Jan 2019 15:48:43 GMT

This is what I needed! Thank you!

Re: How do you prevent the map command from encapsulating the variable in quotes?

quasikaze — Tue, 29 Jan 2019 16:01:18 GMT

lol! That's actually what I tried a couple days earlier when talking back and forth with daljeanis. When I saw your comment about that, I had already forgotten about it and had no idea where you were talking about adding a subsearch or what to even put in it and just confusingly dismissed it. :facepalm: There's absolutely no way I would've solved it without your help! I've never had reason to use return, so I completely forgot it even existed! I've been working this issue off and on for months, so to finally have a solution is inspiring. Thanks again!

Re: How do you prevent the map command from encapsulating the variable in quotes?

woodcock — Tue, 29 Jan 2019 16:44:23 GMT

I feel your pain. I had the same experience. I absolutely had to make it work. It took me weeks and then God pushed the idea into my head; it just clicked! I solved it in my mind and I knew that it would work before I even tested it.

Re: How do you prevent the map command from encapsulating the variable in quotes?

woodcock — Wed, 30 Jan 2019 00:53:36 GMT

Tokens, tokens, everywhere! I shudder to think of how this will look as a dashboard panel!

Re: How do you prevent the map command from encapsulating the variable in quotes?

pierrealex — Thu, 06 Apr 2023 15:10:08 GMT

Thank you so much

I didn't undestand the tricks with `return $test` and why only one $

But this make the job!