Solved: Why does a one word message_subject disappear in m...

nick405060 · ‎01-16-2019

Why do two word message_subjects (e.g. "hi tom") or a message_subject with a single quotation mark after it (e.g. "hi\"") table the result properly, while a message_subject with a single word (e.g. "hi") not table? :

| makeresults | eval message_subject="hi" | map maxsearches=10000 search="| makeresults | eval message_subject=$message_subject$" | table message_subject

nick405060 · ‎01-16-2019

Solution is to put quotes around $message_subject$ in the mapped search. No idea why.

 | makeresults | eval message_subject="hi" | map maxsearches=10000 search="| makeresults | eval message_subject=\"$message_subject$\"" | table message_subject

View solution in original post

nick405060 · ‎01-16-2019

Solution is to put quotes around $message_subject$ in the mapped search. No idea why.

 | makeresults | eval message_subject="hi" | map maxsearches=10000 search="| makeresults | eval message_subject=\"$message_subject$\"" | table message_subject

Why does a one word message_subject disappear in my search? Crazy behavior

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Join the Conversation

Why does a one word message_subject disappear in my search? Crazy behavior

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...