topic Re: Error in use of 'map' search command in Splunk Search

Error in use of 'map' search command

kevintelford — Tue, 30 Nov 2010 04:44:03 GMT

I have a sourcetype called sourcetype1 that contains the following three events:

foo=a
foo=b
foo=c

I then have a sourcetype called sourcetype2 that contains the following 4 events:

bar=x, othervalue=4
bar=y, othervalue=3
bar=z, othervalue=2
bar=a, othervalue=1

If I do the simple search

index=myindex sourcetype=sourcetype1 | fields foo

I get back the expected 3 events: a, b, c.

I then try to use the map command

index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=$foo$"

and I get the error

[SimpleResultsTable module] Server reported HTTP status=400 while getting mode=results Error in 'map' command: Unable to run query 'search index=index2 bar=a'.

which makes me sad.

To further my confusion if I try a search just to get some different results

index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=x"

I end up the results

a
b
c

which acts as if the subsearch never occurred. Any thoughts?

Thanks,

Kevin

Re: Error in use of 'map' search command

gkanapathy — Tue, 30 Nov 2010 07:29:19 GMT

Is all the search and indexing on one Splunk instance, or do you have multiple indexers and/or a separate search head? Until 4.2, the map command will not issue searches in distributed mode. Also, I believe that unless you specify otherwise, the maxsearches option to the map command defaults to 1, so you should set that higher.

Also, I'm assuming you're replacing real terms with foo and bar and a and b etc., but the error you get is usually because the search you've constructed is syntactically invalid. Try perhaps putting quotes around the argument:

... | map search="search index=index2 bar=\"$foo$\""

Re: Error in use of 'map' search command

kevintelford — Wed, 01 Dec 2010 02:04:21 GMT

@gkanapathy,

Good call on the quotes around $foo$. Single quotes work as well. I also added maxsearches. So that fixes the error I was getting. Running the fixed syntax still yields me with the 3 results that the initial search produces. Its as if the map command isn't being run at all.

Right now I'm running this command against a single index, multiple sourcetypes (which differs from above, I'll update to reflect), on a single Splunk instance.

Re: Error in use of 'map' search command

araitz — Wed, 01 Dec 2010 12:46:21 GMT

Yeah, ummm, I've never had much (okay, ANY) success with the map command. I would recommend using the python API that Splunk ships with to automate this.

Re: Error in use of 'map' search command

Glenn — Fri, 24 Dec 2010 20:10:31 GMT

I second the claim that this doesn't work. I only get the results from the original search, which is annoying as otherwise this would be a very useful command.

The only time I have ever see this actually work as claimed is when invoking after a "| metadata" search, and then using map to iterate over hosts as suggested here: http://answers.splunk.com/questions/8175/iterate-a-search-over-a-collection-of-variables

Are the results that come back from a metadata search different from normal events?

I guess I will log a case about it.

Re: Error in use of 'map' search command

carasso — Mon, 26 Sep 2011 22:11:56 GMT

Map has been fixed for 4.2.4

Re: Error in use of 'map' search command

araitz — Tue, 27 Sep 2011 06:36:37 GMT

Better late than clever 😛