Splunk Search

Error in use of 'map' search command

kevintelford
Path Finder

I have a sourcetype called sourcetype1 that contains the following three events:

foo=a
foo=b
foo=c

I then have a sourcetype called sourcetype2 that contains the following 4 events:

bar=x, othervalue=4
bar=y, othervalue=3
bar=z, othervalue=2
bar=a, othervalue=1

If I do the simple search

index=myindex sourcetype=sourcetype1 | fields foo

I get back the expected 3 events: a, b, c.

I then try to use the map command

index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=$foo$"

and I get the error

[SimpleResultsTable module] Server reported HTTP status=400 while getting mode=results Error in 'map' command: Unable to run query 'search index=index2 bar=a'.

which makes me sad.

To further my confusion if I try a search just to get some different results

index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=x"

I end up the results

a
b
c

which acts as if the subsearch never occurred. Any thoughts?

Thanks,

Kevin

Tags (3)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Is all the search and indexing on one Splunk instance, or do you have multiple indexers and/or a separate search head? Until 4.2, the map command will not issue searches in distributed mode. Also, I believe that unless you specify otherwise, the maxsearches option to the map command defaults to 1, so you should set that higher.

Also, I'm assuming you're replacing real terms with foo and bar and a and b etc., but the error you get is usually because the search you've constructed is syntactically invalid. Try perhaps putting quotes around the argument:

... | map search="search index=index2 bar=\"$foo$\""

araitz
Splunk Employee
Splunk Employee

Better late than clever 😛

0 Karma

carasso
Splunk Employee
Splunk Employee

Map has been fixed for 4.2.4

Glenn
Builder

I second the claim that this doesn't work. I only get the results from the original search, which is annoying as otherwise this would be a very useful command.

The only time I have ever see this actually work as claimed is when invoking after a "| metadata" search, and then using map to iterate over hosts as suggested here: http://answers.splunk.com/questions/8175/iterate-a-search-over-a-collection-of-variables

Are the results that come back from a metadata search different from normal events?

I guess I will log a case about it.

0 Karma

araitz
Splunk Employee
Splunk Employee

Yeah, ummm, I've never had much (okay, ANY) success with the map command. I would recommend using the python API that Splunk ships with to automate this.

0 Karma

kevintelford
Path Finder

@gkanapathy,

Good call on the quotes around $foo$. Single quotes work as well. I also added maxsearches. So that fixes the error I was getting. Running the fixed syntax still yields me with the 3 results that the initial search produces. Its as if the map command isn't being run at all.

Right now I'm running this command against a single index, multiple sourcetypes (which differs from above, I'll update to reflect), on a single Splunk instance.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...