Re: Error in use of 'map' search command

kevintelford · ‎11-29-2010

I have a sourcetype called sourcetype1 that contains the following three events:

foo=a
foo=b
foo=c

I then have a sourcetype called sourcetype2 that contains the following 4 events:

bar=x, othervalue=4
bar=y, othervalue=3
bar=z, othervalue=2
bar=a, othervalue=1

If I do the simple search

index=myindex sourcetype=sourcetype1 | fields foo

I get back the expected 3 events: a, b, c.

I then try to use the map command

index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=$foo$"

and I get the error

[SimpleResultsTable module] Server reported HTTP status=400 while getting mode=results Error in 'map' command: Unable to run query 'search index=index2 bar=a'.

which makes me sad.

To further my confusion if I try a search just to get some different results

index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=x"

I end up the results

a
b
c

which acts as if the subsearch never occurred. Any thoughts?

Thanks,

Kevin

gkanapathy · ‎11-29-2010

Is all the search and indexing on one Splunk instance, or do you have multiple indexers and/or a separate search head? Until 4.2, the map command will not issue searches in distributed mode. Also, I believe that unless you specify otherwise, the maxsearches option to the map command defaults to 1, so you should set that higher.

Also, I'm assuming you're replacing real terms with foo and bar and a and b etc., but the error you get is usually because the search you've constructed is syntactically invalid. Try perhaps putting quotes around the argument:

... | map search="search index=index2 bar=\"$foo$\""

araitz · ‎09-26-2011

Better late than clever 😛

carasso · ‎09-26-2011

Map has been fixed for 4.2.4

Glenn · ‎12-24-2010

I second the claim that this doesn't work. I only get the results from the original search, which is annoying as otherwise this would be a very useful command.

The only time I have ever see this actually work as claimed is when invoking after a "| metadata" search, and then using map to iterate over hosts as suggested here: http://answers.splunk.com/questions/8175/iterate-a-search-over-a-collection-of-variables

Are the results that come back from a metadata search different from normal events?

I guess I will log a case about it.

araitz · ‎12-01-2010

Yeah, ummm, I've never had much (okay, ANY) success with the map command. I would recommend using the python API that Splunk ships with to automate this.

kevintelford · ‎11-30-2010

@gkanapathy,

Good call on the quotes around $foo$. Single quotes work as well. I also added maxsearches. So that fixes the error I was getting. Running the fixed syntax still yields me with the 3 results that the initial search produces. Its as if the map command isn't being run at all.

Right now I'm running this command against a single index, multiple sourcetypes (which differs from above, I'll update to reflect), on a single Splunk instance.

Error in use of 'map' search command

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation