Hello Splunkers!!
I am facing an issue while running below search. As you can see in the screenshot. Can anyone help me to fix this issue.
search query :
| makeresults
| addinfo
| eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000)
| map search="search `indextime`>=`bin($earliest$,300)` `indextime`<`bin($earliest$,300,+300)` earliest=`bin($earliest$,300,-10800)` latest=`bin($latest$,300,+300)``"
| where false()
Screenshot for a query error:
[| makeresults
| addinfo
| eval search="_indextime>=".tostring(300*trunc(info_min_time/300))." _indextime<".tostring((300*trunc(info_min_time/300))+300)." earliest=".tostring((300*trunc(info_min_time/300))-10800)." latest=".tostring((300*trunc(info_max_time/300))+300)
| fields search] `scada_alarms`
They look like back-quotes ` which delimit macros - I suspect you should be using single quotes ' for delimiting field names
@ITWhisperer You are always a savior for me. As suggested I have replaced back quotes with a single quote. No error found but no event generated.
Perhaps we need to take a step back - what is it you are actually trying to do because it looks like a complicated way of doing things for which there might be a simpler solution. For example, using the map command can be quite complex and should probably be avoided if possible.
@ITWhisperer The complete search is below where we are using macro scada_alarms, that is why we are using map command. Is there anything which I need to fix here.
| makeresults
| addinfo
| eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000)
| map search="search 'indextime'>='bin($earliest$,300)' 'indextime'<'bin($earliest$,300,+300)' 'earliest='bin($earliest$,300,-10800)'' 'latest='bin($latest$,300,+300)' `scada_alarms`\
| where _time>=`bin($earliest$,300,-10800)` AND _time<`bin($latest$,300,+900)`'"
|`maintain(index=si_error,source=scada,group=\\\"isc_id,error\\\",status=status,info=\\\"area,zone,equipment,element,error_status,operator_id\\\",span=300,earliest=$earliest$,latest=$latest$,extrapolate_condition=\\\"time-start_time <= 172800\\\")`")`\
Since you are using macros, you may want to go back to using back-quotes, but in order for us to me able to help you, you should post the expanded version of the search ctrl-shift-E
@ITWhisperer I have tried both the methods but with complete search macro is not producing any result. But in last I have paste the macro
| makeresults
| addinfo
| eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000)
| map search="search `indextime`>=`bin($earliest$,300)` `indextime`<`bin($earliest$,300,+300)`earliest=`bin($earliest$,300,-10800)` `latest=`bin($latest$,300,+300)'``scada_alarms``")`
| makeresults
| addinfo
| eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000)
| map search="search `indextime`>=`bin($earliest$,300)` `indextime`<`bin($earliest$,300,+300)`earliest=`bin($earliest$,300,-10800)` `latest=`bin($latest$,300,+300)'``scada_alarms`\| where _time>=`bin($earliest$,300,-10800)` AND _time<`bin($latest$,300,+900)`\
`maintain(index=si_error,source=scada,group=\\\"isc_id,error\\\",status=status,info=\\\"area,zone,equipment,element,error_status,operator_id\\\",span=300,earliest=$earliest$,latest=$latest$,extrapolate_condition=\\\"time-start_time <= 172800\\\")`")`\| where false()
==============COMPLETE MACRO=======
index=ABC sourcetype="ABC" "EquipmentEventReport.EquipmentEvent.Detail.State" IN("CAME_IN","WENT_OUT") | fields _raw | spath output=equipment_event path="EquipmentEventReport.EquipmentEvent" | fields - _raw | mvexpand equipment_event | spath input=equipment_event output=error_status path="Detail.State" | where error_status IN("CAME_IN","WENT_OUT") | spath input=equipment_event output=_time path="Detail.EventTime" | spath input=equipment_event output=operator_id path="Detail.OperatorID" | spath input=equipment_event output=area path="ID.Location.PhysicalLocation.AreaID" | spath input=equipment_event output=zone path="ID.Location.PhysicalLocation.ZoneID" | spath input=equipment_event output=equipment path="ID.Location.PhysicalLocation.EquipmentID" | spath input=equipment_event output=element path="ID.Location.PhysicalLocation.ElementID" | spath input=equipment_event output=error path="ID.MIS_Address" | fields - equipment_event | eval area=`format_area_id(area)`, zone=`format_zone_id(zone)`, equipment=`format_equipment_id(equipment)`, element=`format_element_id(element)`, isc_id = `to_location(area,zone,equipment,element)`, element=if(tonumber(element) > 0, element, null()) | lookup isc id AS isc_id OUTPUTNEW statistical_subject | lookup detail_status mis_address AS error component_type_id AS statistical_subject OUTPUTNEW alarm_severity | where alarm_severity in ("Safety","High","Medium","Low") | eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S.%N%Z"), status=if(error_status="WENT_OUT",null(),error) | fields _time area zone equipment element isc_id error error_status operator_id status
If I am reading this correctly, scada_alarms is a macro that expands to the part you have headed "cOMPLETE MACRO" and you are attempting to use this macro inside a map search?
If this is the case, it is possible that the macro is expanded before the map command is execute and since the macro has double quotes in, this is probably terminating the search string at this point and the remainder of the expanded macro is then parsed as part of the main search which is then failing - is this what could be going on?
@ITWhisperer Yes I want to use that macro in the map command. And do you want me to remove double quotes from here >>> | map search="search
Below is the complete search :
addinfo
| eval earliest=max(trunc(info_min_time),info_min_time),latest=min(max(trunc(info_max_time),info_max_time+0),2000000000)
| map search="search 'indextime'>='bin($earliest$,300)' 'indextime'<'bin($earliest$,300,+300)' 'earliest='bin($earliest$,300,-10800)'' 'latest='bin($latest$,300,+300)' `scada_alarms`\
| where _time>=`bin($earliest$,300,-10800)` AND _time<`bin($latest$,300,+900)`'"
|`maintain(index=si_error,source=scada,group=\\\"isc_id,error\\\",status=status,info=\\\"area,zone,equipment,element,error_status,operator_id\\\",span=300,earliest=$earliest$,latest=$latest$,extrapolate_condition=\\\"time-start_time <= 172800\\\")`")`\
Rather than using the map command (which doesn't appear to expand macros), you could try something like this
[| makeresults
| addinfo
| eval search=`indextime`.">=".`bin(info_min_time,300)`." ".`indextime`."<".`bin(info_min_time,300,+300)`." earliest=".`bin(info_min_time,300,-10800)`." latest=".`bin(info_max_time,300,+300)`
| fields search] `scada_alarms`
Or you may need to manually expand the indextime and bin macros (I have no idea what these are!)
@ITWhisperer I think I am very close for the execution of the search. Please suggest what should I do next ?
[| makeresults
| addinfo
| eval search="_indextime>=".tostring(300*trunc(info_min_time/300))." _indextime<".tostring((300*trunc(info_min_time/300))+300)." earliest=".tostring((300*trunc(info_min_time/300))-10800)." latest=".tostring((300*trunc(info_max_time/300))+300)
| fields search] `scada_alarms`
Since the only macro you appear to be using in that search is scada_alarms this would suggest that this macro is not available to you - please ensure that the macro is available.
What about the macro for bin?
@ITWhisperer The search which have mentioned is not giving any error but no event is populating while running.
It is hard to see from the graphic, but are there single quotes or back-quotes around the indextime and bin macros? They need to be back-quotes for macros. (This is counter to my original suggestion as it wasn't clear at the time that you were using so many macros.)
Does anyone suggest me the what the values I should pass to complete the search ?
| makeresults
| addinfo
| eval earliest=max(trunc(info_min_time),info_min_time), latest=min(max(trunc(info_max_time),(info_max_time + 0)),2000000000)
| map search="search `indextime`>=`bin($earliest$,300)` `indextime`<`bin($earliest$,300,+300)` earliest=`bin($earliest$,300,-10800)` latest=`bin($latest$,300,+300)` `"
Hi @uagraw01,
Have you tried to get more information about the warning in the job inspector? If job inspector contains any logs related to the execution of this query It would be helpful to find what is causing the warning.