topic Re: Problem with map command - Using search from lookup in Splunk Search

Problem with map command - Using search from lookup

astatrial — Mon, 06 May 2019 14:01:54 GMT

Hi all,
I am trying to run a map command that will run searches from a lookup one by one as follows :

| inputlookup "Correlation_searches.csv" 
| head 1
| map search="$check_search$"

The head 1 is just for debug purpose. The value of $check_search$ is the search.

For some reason i get the next error :

Unable to run query '"| tstats `summariesonly` count from 
datamodel=\"Change_Analysis.All_Changes\" where earliest=-7d@h latest=now 
nodename=\"All_Changes.Account_Management\" \"All_Changes.tag\"=\"delete\""'.

But i ran this search and it worked just fine:

| makeresults 1 
| map search="| tstats `summariesonly` count from datamodel=\"Change_Analysis.All_Changes\" 
where earliest=-7d@h latest=now nodename=\"All_Changes.Account_Management\" 
\"All_Changes.tag\"=\"delete\""

Thanks !

Re: Problem with map command - Using search from lookup

Vijeta — Mon, 06 May 2019 14:05:10 GMT

@astarial - Try removing the quotes. map search=$check_search$

Re: Problem with map command - Using search from lookup

astatrial — Mon, 06 May 2019 14:12:01 GMT

already tried it, and got the same result.

Re: Problem with map command - Using search from lookup

somesoni2 — Wed, 30 Sep 2020 00:26:23 GMT

Does your lookup table field check_search has all the quotes/special character escaped? Would you mind pasing result of | inputlookup "Correlation_searches.csv" | head 1 here. Do remember to format the result using 101010 button in the editor here OR press Ctrl+K after selecting it. Also, scrub any sensitive data that you may have.

Re: Problem with map command - Using search from lookup

astatrial — Tue, 07 May 2019 07:00:38 GMT

The output of this command is :

check_search        
| tstats `summariesonly` count from datamodel="Change_Analysis.All_Changes" where earliest=-7d@h latest=now  nodename="All_Changes.Account_Management" "All_Changes.tag"="delete"

This is just a version of a built in correlation search, so there is nothing sensitive here. The check_search is the name of the column

Re: Problem with map command - Using search from lookup

woodcock — Tue, 07 May 2019 15:12:28 GMT

It is not obvious but if you look closely, you will see that there are double-quote characters getting in the way. The search that is getting run is this:

"| tstats `summariesonly` count from 
datamodel=\"Change_Analysis.All_Changes\" where earliest=-7d@h latest=now 
nodename=\"All_Changes.Account_Management\" \"All_Changes.tag\"=\"delete\""

Instead of your desire of this:

| tstats `summariesonly` count from 
datamodel="Change_Analysis.All_Changes" where earliest=-7d@h latest=now 
nodename="All_Changes.Account_Management" "All_Changes.tag"="delete"

The problem is discussed with my solution here:
https://answers.splunk.com/answers/719456/how-do-you-prevent-the-map-command-from-encapsulat.html
So try this:

| inputlookup "Correlation_searches.csv" 
| head 1
| map search="[|makeresults | eval check_search=$check_search$ | return $check_search]"

Re: Problem with map command - Using search from lookup

astatrial — Sun, 12 May 2019 06:57:41 GMT

Hi, thanks for your help.
That didn't work for some reason.
The result was the same as the first query (with the \" ).

Re: Problem with map command - Using search from lookup

DavidHourani — Sun, 12 May 2019 14:51:29 GMT

Hi @astatrial,

The problem is not in your query but in your CSV file. Make sure the searches in the CSV file are not in quotes as that is what is breaking your search.

Cheers,
David

Re: Problem with map command - Using search from lookup

astatrial — Sun, 12 May 2019 15:05:50 GMT

Hi David.
Actually the csv file is fine. I think the problem is with the map command adding \ before the "

Re: Problem with map command - Using search from lookup

DavidHourani — Sun, 12 May 2019 15:08:54 GMT

No double quotes in the CSV file ?

Re: Problem with map command - Using search from lookup

astatrial — Sun, 12 May 2019 15:11:16 GMT

I checked and there aren't.

Re: Problem with map command - Using search from lookup

DavidHourani — Sun, 12 May 2019 15:22:09 GMT

Have a look here if it's the \ causing the problem : https://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Escape_the_.24_token_delimiter_character
You can try to escape your search token using |s or |n like : $check_search|s$

Re: Problem with map command - Using search from lookup

astatrial — Sun, 12 May 2019 15:31:00 GMT

Tried it but it didn't work. Thanks anyway.

Re: Problem with map command - Using search from lookup

woodcock — Sun, 12 May 2019 17:37:40 GMT

Escaping the double-quotes is absolutely necessary because the map clauses is always in double-quotes. Test my solution with a simpler search string that does not need/have any double-quotes. Try to eliminate variables.