topic Re: Can't MAP a host field with IN clausole in a map searching in Splunk Search

Can't MAP a host field with IN clausole in a map searching

verbal_666 — Mon, 21 Oct 2019 11:53:28 GMT

As in object, it's a strange behaviour, i can't use an IN clausole with host field in a map search.

Here's my search,

|inputlookup list.csv|where tag="locals"
|map maxsearches=50 search="search index=* host IN($hostnames$) source=$source$|table host,source"

First line works, all fields are passed to map (i also tried a display fields in the map search, and all fields are ok).
Second line, the map, does not work with IN clausole and "hostnames" field with more than 1 host.

list.csv

NOT WORKING
tag     hostnames   source
locals  host1,host2 /tmp/*logs
locals  host1,host2 /tmp/*TXT
locals  host1,host2 /tmp/*json

WORKING
tag     hostnames   source
locals  host1   /tmp/*logs
locals  host2   /tmp/*logs
locals  host1   /tmp/*TXT
locals  host2   /tmp/*TXT
locals  host1   /tmp/*json
locals  host2   /tmp/*json

I also tried a

host IN(*$hostnames$*)

but this is like an IN(**), variable seems to be null, but i can display if i try a

|makeresults|eval host=$hostnames$|table host

Why?
Suggestions?

Re: Can't MAP a host field with IN clausole in a map searching

kamlesh_vaghela — Mon, 21 Oct 2019 12:44:42 GMT

@verbal_666

Not sure about map but you can try below search.

index=*  [ |inputlookup list.csv|where tag="locals" | eval hostnames =split(hostnames,",") | mvexpand hostnames | table  hostnames source   ] |table host,source

Re: Can't MAP a host field with IN clausole in a map searching

verbal_666 — Mon, 21 Oct 2019 15:20:11 GMT

Thanx a lot.
But i have built this little "Engine" for the "map" command; in reality the csv has many many more fields (earliest, latest, thresholds, pattern to find etc.....). MAP command works perfecly, only the IN clausole does not when i have more than 1 host!!!!!!! 😐 .....also, the "table host,source" up is only an example, in the real searches i have more than 10 piped commands. It works, but the "host IN" with multiple hosts NOT 😐 😐 😐

With the subsearch i need to change many things. Also, the subsearch up, i think, should be ended with a "format" command and also hostnames renamed in "host" to work fine.

I prefer to fix the "map", for now.
Thanks a lot.

ps. i fixed as workaround the "IN problem" with a tag/eventtype in front who make me permit to search what i need

|map maxsearches=50 search="search tag=MYTAG source=$source$|table host,source"

....tag/eventtype contain index and hosts i need.................. i want to bypass also tag.

Re: Can't MAP a host field with IN clausole in a map searching

verbal_666 — Mon, 21 Oct 2019 19:26:07 GMT

Found the problem. Inputlookup passes variables to the map with double-quotes,so a single host is get, a list in IN clausole not.

Ex.

host1,host2

become, literally,

"host1,host2"

IN("host1,host2")

is not parsed good,

host1 IN(host1)

in parsed good, without double quotes, but also making quoted works with single host. Null-string is passed as "".

Trying to remove the quotes.

Another workaround, bad, but working,is something like adding single host fields in csv,
h1,h2,h3,h4
and

(host=$h1$ OR host=$h2$ OR host=$h3$ OR host=$h4$)

in the map search. Very bad, but it works.

Re: Can't MAP a host field with IN clausole in a map searching

verbal_666 — Mon, 21 Oct 2019 19:45:41 GMT

Gotcha...

 |inputlookup list.csv|where tag="locals"
 |map maxsearches=50 search="search index=* host IN([|makeresults|eval h=$hostnames$|return $h]) source=$source$|table host,source"