topic Re: map command in Splunk Search

map command

kgrahamLM — Thu, 30 Jul 2020 17:03:16 GMT

Can I use the map command with the variable being the index and/or sourcetype?

Re: map command

richgalloway — Thu, 30 Jul 2020 18:49:06 GMT

If the field exists prior to the map command then you should be able to use it within the command. Have you tried it?

Re: map command

kgrahamLM — Thu, 30 Jul 2020 19:02:15 GMT

The field 'index' exists and contains 'index=_audit', however, it won't render. I get an error message.

Re: map command

kgrahamLM — Thu, 30 Jul 2020 19:27:47 GMT

When testing..... I hard coded 'index=_audit" and the results rendered. (see below)

| makeresults
| eval User = "1234", index = "index=_audit"
| table User, index
`comment(" -------------------- GET LIST OF JOBS THAT RAN FOR THIS USER -------------------- ")`
| map search="search index=_audit user="$User$" savedsearch_name=*
| where len(savedsearch_name) > 1
| eval User = "$User$",
LogSource = "$index$"
| table LogSource, User, savedsearch_name, _time, user "

LogSource outputs: index=_audit
but
User does NOT output 1234

Can't think of why!

Then I replace the hardcoded index with the variable and it returns 0 results.
| makeresults
| eval User = "1234", index = "index=_audit"
| table User, index
`comment(" -------------------- GET LIST OF JOBS THAT RAN FOR THIS USER -------------------- ")`
| map search="search $index$ user="$User$" savedsearch_name=*
| where len(savedsearch_name) > 1
| eval User = "$User$", LogSource = "$index$"
| table LogSource, User, savedsearch_name, _time, user "

Is there something wrong with my syntax? If I get it working I plan on substituting the | makeresults with a lookup to get multiple items.

Re: map command

richgalloway — Thu, 30 Jul 2020 19:30:22 GMT

What is the error message?

Re: map command

richgalloway — Thu, 30 Jul 2020 20:12:01 GMT

In checking the search log, I see this

07-30-2020 15:48:30.388 INFO SearchParser - PARSING: search "index=_audit" user=admin savedsearch_name=*\n| where len(savedsearch_name) > 1\n| eval User = admin, LogSource = "index=_audit"\n| table LogSource, savedsearch_name, _time, user

It would appear that the $index$ token is being used literally, including the quotation marks. That, of course, breaks the search.

Why can you not put index=$index$ in map and set the token to the index name?

Re: map command

kgrahamLM — Fri, 31 Jul 2020 12:23:26 GMT

I can't hardcode index because sometimes I will be looking for different variations like: index only or index and sourcetype. Is there a way to escape the quote within the map command?

Re: map command

richgalloway — Fri, 31 Jul 2020 13:24:59 GMT

I was unable to find a way to suppress or escape the quotation marks. IMO, the presence of quotation marks in the parsed search is a bug. Consider submitting a support request to Splunk.