Solved: Why does a one word message_subject disappear in m...

nick405060 · ‎01-16-2019

Why do two word message_subjects (e.g. "hi tom") or a message_subject with a single quotation mark after it (e.g. "hi\"") table the result properly, while a message_subject with a single word (e.g. "hi") not table? :

| makeresults | eval message_subject="hi" | map maxsearches=10000 search="| makeresults | eval message_subject=$message_subject$" | table message_subject

nick405060 · ‎01-16-2019

Solution is to put quotes around $message_subject$ in the mapped search. No idea why.

 | makeresults | eval message_subject="hi" | map maxsearches=10000 search="| makeresults | eval message_subject=\"$message_subject$\"" | table message_subject

View solution in original post

nick405060 · ‎01-16-2019

Solution is to put quotes around $message_subject$ in the mapped search. No idea why.

 | makeresults | eval message_subject="hi" | map maxsearches=10000 search="| makeresults | eval message_subject=\"$message_subject$\"" | table message_subject

Why does a one word message_subject disappear in my search? Crazy behavior

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Are you a member of the Splunk Community?

Why does a one word message_subject disappear in my search? Crazy behavior

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0