Solved: Why does a one word message_subject disappear in m...

nick405060 · ‎01-16-2019

Why do two word message_subjects (e.g. "hi tom") or a message_subject with a single quotation mark after it (e.g. "hi\"") table the result properly, while a message_subject with a single word (e.g. "hi") not table? :

| makeresults | eval message_subject="hi" | map maxsearches=10000 search="| makeresults | eval message_subject=$message_subject$" | table message_subject

nick405060 · ‎01-16-2019

Solution is to put quotes around $message_subject$ in the mapped search. No idea why.

 | makeresults | eval message_subject="hi" | map maxsearches=10000 search="| makeresults | eval message_subject=\"$message_subject$\"" | table message_subject

View solution in original post

nick405060 · ‎01-16-2019

Solution is to put quotes around $message_subject$ in the mapped search. No idea why.

 | makeresults | eval message_subject="hi" | map maxsearches=10000 search="| makeresults | eval message_subject=\"$message_subject$\"" | table message_subject

Why does a one word message_subject disappear in my search? Crazy behavior

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

Splunk ITSI & Correlated Network Visibility

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Are you a member of the Splunk Community?

Why does a one word message_subject disappear in my search? Crazy behavior

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

Splunk ITSI & Correlated Network Visibility

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)