https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320756#M95855 <P>Show the output of this command:</P> <PRE><CODE>|inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | head 2 </CODE></PRE> Mon, 29 May 2017 14:57:58 GMT woodcock 2017-05-29T14:57:58Z https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320755#M95854 <P>I have a search like this:</P> <P>|inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | map [search index="*" $keyword$ | eval kw=$keyword$, rex=$regex$ | regex($regex$)]</P> <P>from some reason the kw field does not get a value, the kw field is displayed but It is always empty, if I look at search.log, I can see that the search is being parsed as:</P> <P>( index="*" IBAN ) | eval kw=IBAN, rex="[a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}" | regex ("[a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16}")</P> <P>but in the results, rex does show a value, but kw does not. What am I missing here?</P> Mon, 29 May 2017 07:15:40 GMT https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320755#M95854 fvegdom 2017-05-29T07:15:40Z https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320756#M95855 <P>Show the output of this command:</P> <PRE><CODE>|inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | head 2 </CODE></PRE> Mon, 29 May 2017 14:57:58 GMT https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320756#M95855 woodcock 2017-05-29T14:57:58Z https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320757#M95856 <P>Thanks for looking into this, that search gives me: </P> <PRE><CODE>IBAN [a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16} AccountNumber [a-zA-Z]{2}[0-9]{2}[a-zA-Z0-9]{4}[0-9]{7}([a-zA-Z0-9]?){0,16} </CODE></PRE> Mon, 29 May 2017 19:58:56 GMT https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320757#M95856 fvegdom 2017-05-29T19:58:56Z https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320758#M95857 <P>You need <CODE>double-quotes</CODE>, like this:</P> <PRE><CODE>|inputlookup CSV-Generic-GenCus-GenLBL-SensitiveDataKeyWords.csv | map [search index="*" $keyword$ | eval kw="$keyword$", rex="$regex$" | regex($regex$)] </CODE></PRE> Mon, 29 May 2017 20:37:04 GMT https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320758#M95857 woodcock 2017-05-29T20:37:04Z https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320759#M95858 <P>aha, I understand, that also explains why the regex was already showing up in the results, it is already enclosed by double quotes in the original CSV. </P> <P>works like a charm, thanks!</P> Tue, 30 May 2017 08:22:01 GMT https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320759#M95858 fvegdom 2017-05-30T08:22:01Z https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320760#M95859 <P>There are dangers to using the subsearch syntax ( <CODE>[]</CODE> ) instead of the normal double-quotes for <CODE>map</CODE>. It involves the fact that if your outer search is streaming (most likely), your subsearch will be restarted several times. If it does something like send an email with <CODE>sendemail</CODE>, you may find that it emails many times instead of the single time that you expected.</P> Thu, 12 Apr 2018 21:16:49 GMT https://community.splunk.com/t5/Splunk-Search/Field-not-fillled-through-eval-in-map/m-p/320760#M95859 woodcock 2018-04-12T21:16:49Z