Dashboards & Visualizations
Highlighted

Problem with command "map"

Path Finder

Hey guys!

So, I am having issues with the command map and was hoping someone can help me with this..
I have a Choropleth Map that displays number of events per country according to a search string. What I am trying to do is: drilldown the country name and the user name (from a multiselect input used to populate the map) once the person clicks on it to a Statistic Table. Problem is, in this table, I am also using the map command.
Here is an example of how my search looks like, more or less:

index=myindex | iplocation ip_address | search user="$UserDD$" AND Country="$PEC$" | map search="search index=myindex hash=$$hash$$" maxsearches=100 | stats ....."

I keep getting the error message "Error in 'map': Did not find value for required attribute 'hash'."
I already tried "$hash$", doesn't work..

PS: it works just fine if I put a country name (example: Brazil) and "hash" with only one two $ ("$hash$").

Can anyone please help me?
Thank you very much!!

0 Karma
Highlighted

Re: Problem with command "map"

Path Finder

Update: l realised that multiple drilldowns in a search string in the problem.. I have a panel that gets user values form a text input and time value from dropdown, and it is also not working..

0 Karma
Highlighted

Re: Problem with command "map"

Legend

@pamcarvalho, please add more details from your dashboard as requested. It will help us assist you better.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Problem with command "map"

Legend

@pamcarvalho, Can you please add more details? Like the Simple XML code for multiselect input. Where are the tokens $UserDD$ and $PEC$ coming from (give code and sample data)?

What is hash and its sample values?

$$hash$$ seems invalid you should be using $hash$ if you want to use hash token from main search to be used inside map command i.e. index=myindexshould have hash field present.




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Problem with command "map"

Path Finder

@niketnilay, l don't have the code anymore, I changed my dashboard to make it work another way..

Just $hash$ doesn't work, I get the message that the string is waiting for an input, but with $$hash$$ I get the results, not sure why.

Anyway, after some tests, l found out what the problem was.

Recaptulating: I had only one multiselect input, that was feeding two Choropleth Maps and two Statistic Tables. The Statistic Tables mentioned, were getting information from the Choropleth Maps to give more information. These Tables had three drilldowns in the search string: the country one (when you click the Map), the user one (from the multiselect) and the hash one (map command).

The problem was the multiselect input. I am not sure why, but after l put another multiselect (one multiselect input for one Choropleth Map and one Statistic Table, and another one for the other two), it started working just fine! I really wanted to make it all work with just one multiselect feeding with users, but it's fine.

Thank you a lot for your time!

0 Karma
Highlighted

Re: Problem with command "map"

Legend

@pamcarvalho, while we would have liked to help you with your issues, seems like you already have a workaround/solution in place. Please convert your comment to Answer and Accept the same to mark this question as answered!




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Problem with command "map"

Splunk Employee
Splunk Employee

It looks that double $ variable may not be correct.
Can you try with single $ around hash.

Also you will gain speed is you add the user condition BEFORE the iplocation, and also add a condition "hash=*" BEFORE the map to make sure that ONLY events with a "hash" field are scanned.

 index=myindex  user="$UserDD$"  hash=* | iplocation ip_address 
 | search Country="$PEC$" 
 | map search="search index=myindex hash=$hash$" maxsearches=100 
 | stats ..... 
0 Karma
Highlighted

Re: Problem with command "map"

Path Finder

@yannK, I can't get it to work with $hash$, but $$hash$$ works just fine, not sure why.. Anyway, I found another way to make it work, it's not the way I wanted at first, but it's fine.

The reason why l am not using "hash=*", is because all logs of this events hava the field hash, but thank you anyway!

Thank you very much about the other tip, l changed my search strings, and now my dashboard is way faster!

Once again, thank you very much for your help!

0 Karma
Highlighted

Re: Problem with command "map"

SplunkTrust
SplunkTrust

@pamcarvalho - This is in a search inside a form/dashboard? That explains the requirement for doubling the $$.

The XML eats one of each pair when evaluating the XML, and then the remaining code is what is executed. Consider that the XML has to know to treat these two token-like-things UserDD and hash differently...

 index=myindex  user="$UserDD$"  hash=* 

| map search="search index=myindex hash=$$hash$$" maxsearches=100 

The first one must be filled in by a token from the dash/form/panel, whereas the second one will be supplied by the search.

0 Karma
Highlighted

Re: Problem with command "map"

Path Finder

@DalJeanis hmm l see, makes sense.. In a Dashboard, l always have to use "$$" when inside the map command, thanks for clarifying this for me!
Sorry for taking so long to take back to you, I had no connection to the internet during the weekend..

About my problem:

" I had only one multiselect input, that was feeding two Choropleth Maps and two Statistic Tables. The Statistic Tables mentioned, were getting information from the Choropleth Maps to give more information. These Tables had three drilldowns in the search string: the country one (when you click the Map), the user one (from the multiselect) and the hash one (map command).

The problem was the multiselect input. I am not sure why, but after l put another multiselect (one multiselect input for one Choropleth Map and one Statistic Table, and another one for the other two), it started working just fine! I really wanted to make it all work with just one multiselect feeding with users."

Your search works for me, l tried that, but my problem is a little bit more complex 😕 I hope I mad myself clear about the problem.. Thank you very much 🙂

0 Karma