Alerting

Map command breaks when scheduled

Joshua
Explorer

I am running a custom python search command for custom alerting from Splunk which takes variables from the search query and using the map command to feed the set variables into the script.

I'll use the sendemail command as an example;

host="myserver" "OutOfMemory" | map search="| sendemail to="test@test.com" subject=$host$ server="mailhost""

This works perfectly when run directly via the GUI search, however if I turn this into a ScheduledSearch using the same query it doesn't work. Splunk logs will indicate that it ran succesfully and didnt encounter any exceptions however my email does not get sent.

By turning the sendemail function to echo the output into a text file I can see that nothing happens either. What gets interesting is that if I replace $host$ with "myservername" and dont use any $variables$ it works!

I have tried escaping the strings passed to the python script directly within the script when extracting the variables though it has no affect.

subject=\"\'$host$\'\" 

By double quoting the above it still works via the GUI, though when scheduled my email sends but with subject as inner quotes - \'\'

Indicating that the variable is either not being transformed or is replaced with nothing.

I have tried placing the entire search query again within the sub map search with no affect either...

Any suggestions would be great, otherwise I'll have to raise a support case.

Note: This is on a windows server.

1 Solution

carasso
Splunk Employee
Splunk Employee

Your quoting is wrong for the map command. Try using the subsearch syntax.
e.g.

| map [ sendemail to="test@test.com" subject=$host$ server="mailhost"]

See:

http://splunk-base.splunk.com/answers/27012/whats-wrong-with-this-map-search-command

View solution in original post

s_n
Engager

Old topic but someone may find it via google looking for a solution.
For me saved search with map command, to which $variable$ is passed worked in the following way...

savedsearch_1:

foo | map savedsearch_2 var1=$var1$ var2=$var2$

savedsearch_2:

search bar | where var1=$var1$ var2=$var2$ | head 1

Trying different syntax like:

    foo | map search="search bar | where var1=\"$var1\" var2=\"var2\" | head 1"

worked well in interactive search but on saved and scheduled the variables weren't passed to the map command so the search always was returning no results.

traugust
Explorer

Thanks a lot for sharing this approach! It helped me out and I can confirm that it worked for me as solution for the above problem.

0 Karma

tysonstewart
Path Finder

Just wanted to highlight the fact that the key here is saving a search for the map command to use. Variable names inside a string disappear when run by the scheduler.

0 Karma

carasso
Splunk Employee
Splunk Employee

Your quoting is wrong for the map command. Try using the subsearch syntax.
e.g.

| map [ sendemail to="test@test.com" subject=$host$ server="mailhost"]

See:

http://splunk-base.splunk.com/answers/27012/whats-wrong-with-this-map-search-command

Joshua
Explorer

Workaround developed until a resolution for this method is found.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...