Splunk Search

Can't MAP a host field with IN clausole in a map searching

verbal_666
Builder

As in object, it's a strange behaviour, i can't use an IN clausole with host field in a map search.

Here's my search,

|inputlookup list.csv|where tag="locals"
|map maxsearches=50 search="search index=* host IN($hostnames$) source=$source$|table host,source"

First line works, all fields are passed to map (i also tried a display fields in the map search, and all fields are ok).
Second line, the map, does not work with IN clausole and "hostnames" field with more than 1 host.

list.csv

NOT WORKING
tag     hostnames   source
locals  host1,host2 /tmp/*logs
locals  host1,host2 /tmp/*TXT
locals  host1,host2 /tmp/*json

WORKING
tag     hostnames   source
locals  host1   /tmp/*logs
locals  host2   /tmp/*logs
locals  host1   /tmp/*TXT
locals  host2   /tmp/*TXT
locals  host1   /tmp/*json
locals  host2   /tmp/*json

I also tried a

host IN(*$hostnames$*)

but this is like an IN(**), variable seems to be null, but i can display if i try a

|makeresults|eval host=$hostnames$|table host

Why?
Suggestions?

Tags (1)
0 Karma
1 Solution

verbal_666
Builder

Gotcha...

 |inputlookup list.csv|where tag="locals"
 |map maxsearches=50 search="search index=* host IN([|makeresults|eval h=$hostnames$|return $h]) source=$source$|table host,source"

View solution in original post

0 Karma

verbal_666
Builder

Gotcha...

 |inputlookup list.csv|where tag="locals"
 |map maxsearches=50 search="search index=* host IN([|makeresults|eval h=$hostnames$|return $h]) source=$source$|table host,source"
0 Karma

verbal_666
Builder

Found the problem. Inputlookup passes variables to the map with double-quotes,so a single host is get, a list in IN clausole not.

Ex.

host1,host2

become, literally,

"host1,host2"

so

IN("host1,host2")

is not parsed good,

host1 IN(host1)

in parsed good, without double quotes, but also making quoted works with single host. Null-string is passed as "".

Trying to remove the quotes.

Another workaround, bad, but working,is something like adding single host fields in csv,
h1,h2,h3,h4
and

(host=$h1$ OR host=$h2$ OR host=$h3$ OR host=$h4$)

in the map search. Very bad, but it works.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@verbal_666

Not sure about map but you can try below search.

index=*  [ |inputlookup list.csv|where tag="locals" | eval hostnames =split(hostnames,",") | mvexpand hostnames | table  hostnames source   ] |table host,source
0 Karma

verbal_666
Builder

Thanx a lot.
But i have built this little "Engine" for the "map" command; in reality the csv has many many more fields (earliest, latest, thresholds, pattern to find etc.....). MAP command works perfecly, only the IN clausole does not when i have more than 1 host!!!!!!! 😐 .....also, the "table host,source" up is only an example, in the real searches i have more than 10 piped commands. It works, but the "host IN" with multiple hosts NOT 😐 😐 😐

With the subsearch i need to change many things. Also, the subsearch up, i think, should be ended with a "format" command and also hostnames renamed in "host" to work fine.

I prefer to fix the "map", for now.
Thanks a lot.

ps. i fixed as workaround the "IN problem" with a tag/eventtype in front who make me permit to search what i need

|map maxsearches=50 search="search tag=MYTAG source=$source$|table host,source"

....tag/eventtype contain index and hosts i need.................. i want to bypass also tag.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...