Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I pass a default value to the map command?

caili
Path Finder
‎08-12-2015 11:05 PM

My searce Query is:

index=ies_log ruleid=50513 earliest=-7d@d|eval start_time=relative_time(date,"-5m@m")|eval start_time=strftime(start_time, "%m/%d/%Y:%H:%M:%S")|eval end_time=strftime(date, "%m/%d/%Y:%H:%M:%S" )|fields start_time,end_time,sip,dip,dport |map search="search index=ies_log ruleid=20347 earliest=$start_time$ latest=$end_time$ sip=$sip$ dip=$dip$ dport=$dport$" maxsearches=10000|stats dc(dip)

If no event found before map command, then all the arguments have no value passed,
and the error is:
Error in 'map': Did not find value for required attribute 'st'.

Can I pass a default value to the command? How?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-13-2015 09:04 AM

You can do it like this (but I don't know why you would like to do so):

index=ies_log ruleid=50513 earliest=-7d@d|eval start_time=relative_time(date,"-5m@m")|eval start_time=strftime(start_time, "%m/%d/%Y:%H:%M:%S")|eval end_time=strftime(date, "%m/%d/%Y:%H:%M:%S" ) | append [|noop | stats count AS sip| eval start_time=DEFAULT | eval end_time=DEFAULT | eval sip=DEFAULT | eval dip=DEFAULT | eval dport = DEFAULT] |fields start_time,end_time,sip,dip,dport |map search="search index=ies_log ruleid=20347 earliest=$start_time$ latest=$end_time$ sip=$sip$ dip=$dip$ dport=$dport$" maxsearches=10000|stats dc(dip)

It is not exactly what you asked, though, because the default will always run as the last map.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-13-2015 09:04 AM

You can do it like this (but I don't know why you would like to do so):

index=ies_log ruleid=50513 earliest=-7d@d|eval start_time=relative_time(date,"-5m@m")|eval start_time=strftime(start_time, "%m/%d/%Y:%H:%M:%S")|eval end_time=strftime(date, "%m/%d/%Y:%H:%M:%S" ) | append [|noop | stats count AS sip| eval start_time=DEFAULT | eval end_time=DEFAULT | eval sip=DEFAULT | eval dip=DEFAULT | eval dport = DEFAULT] |fields start_time,end_time,sip,dip,dport |map search="search index=ies_log ruleid=20347 earliest=$start_time$ latest=$end_time$ sip=$sip$ dip=$dip$ dport=$dport$" maxsearches=10000|stats dc(dip)

It is not exactly what you asked, though, because the default will always run as the last map.

Reply
Solved! Jump to solution

caili
Path Finder
‎08-13-2015 10:22 PM

U resolved my question, thanks!

I can pass an invalid data to the arguments, so the last map can't search it.

If no default value given, then no event whose ruleid is 50513 is found, the search report error, but i want it returns 0.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-14-2015 07:24 AM

OK, so you have what you need then? If so, be sure to close the question by clicking "Accept".

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...