As in object, it's a strange behaviour, i can't use an IN clausole with host field in a map search.
Here's my search,
|inputlookup list.csv|where tag="locals" |map maxsearches=50 search="search index=* host IN($hostnames$) source=$source$|table host,source"
First line works, all fields are passed to map (i also tried a display fields in the map search, and all fields are ok).
Second line, the map, does not work with IN clausole and "hostnames" field with more than 1 host.
NOT WORKING tag hostnames source locals host1,host2 /tmp/*logs locals host1,host2 /tmp/*TXT locals host1,host2 /tmp/*json WORKING tag hostnames source locals host1 /tmp/*logs locals host2 /tmp/*logs locals host1 /tmp/*TXT locals host2 /tmp/*TXT locals host1 /tmp/*json locals host2 /tmp/*json
I also tried a
but this is like an IN(**), variable seems to be null, but i can display if i try a
|makeresults|eval host=$hostnames$|table host
Not sure about
map but you can try below search.
index=* [ |inputlookup list.csv|where tag="locals" | eval hostnames =split(hostnames,",") | mvexpand hostnames | table hostnames source ] |table host,source
Thanx a lot.
But i have built this little "Engine" for the "map" command; in reality the csv has many many more fields (earliest, latest, thresholds, pattern to find etc.....). MAP command works perfecly, only the IN clausole does not when i have more than 1 host!!!!!!! 😐 .....also, the "table host,source" up is only an example, in the real searches i have more than 10 piped commands. It works, but the "host IN" with multiple hosts NOT 😐 😐 😐
With the subsearch i need to change many things. Also, the subsearch up, i think, should be ended with a "format" command and also hostnames renamed in "host" to work fine.
I prefer to fix the "map", for now.
Thanks a lot.
ps. i fixed as workaround the "IN problem" with a tag/eventtype in front who make me permit to search what i need
|map maxsearches=50 search="search tag=MYTAG source=$source$|table host,source"
....tag/eventtype contain index and hosts i need.................. i want to bypass also tag.
Found the problem. Inputlookup passes variables to the map with double-quotes,so a single host is get, a list in IN clausole not.
is not parsed good,
in parsed good, without double quotes, but also making quoted works with single host. Null-string is passed as "".
Trying to remove the quotes.
Another workaround, bad, but working,is something like adding single host fields in csv,
(host=$h1$ OR host=$h2$ OR host=$h3$ OR host=$h4$)
in the map search. Very bad, but it works.
|inputlookup list.csv|where tag="locals" |map maxsearches=50 search="search index=* host IN([|makeresults|eval h=$hostnames$|return $h]) source=$source$|table host,source"