Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I pass a default value to the map command?

caili
Path Finder
‎08-12-2015 11:05 PM

My searce Query is:

index=ies_log ruleid=50513 earliest=-7d@d|eval start_time=relative_time(date,"-5m@m")|eval start_time=strftime(start_time, "%m/%d/%Y:%H:%M:%S")|eval end_time=strftime(date, "%m/%d/%Y:%H:%M:%S" )|fields start_time,end_time,sip,dip,dport |map search="search index=ies_log ruleid=20347 earliest=$start_time$ latest=$end_time$ sip=$sip$ dip=$dip$ dport=$dport$" maxsearches=10000|stats dc(dip)

If no event found before map command, then all the arguments have no value passed,
and the error is:
Error in 'map': Did not find value for required attribute 'st'.

Can I pass a default value to the command? How?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-13-2015 09:04 AM

You can do it like this (but I don't know why you would like to do so):

index=ies_log ruleid=50513 earliest=-7d@d|eval start_time=relative_time(date,"-5m@m")|eval start_time=strftime(start_time, "%m/%d/%Y:%H:%M:%S")|eval end_time=strftime(date, "%m/%d/%Y:%H:%M:%S" ) | append [|noop | stats count AS sip| eval start_time=DEFAULT | eval end_time=DEFAULT | eval sip=DEFAULT | eval dip=DEFAULT | eval dport = DEFAULT] |fields start_time,end_time,sip,dip,dport |map search="search index=ies_log ruleid=20347 earliest=$start_time$ latest=$end_time$ sip=$sip$ dip=$dip$ dport=$dport$" maxsearches=10000|stats dc(dip)

It is not exactly what you asked, though, because the default will always run as the last map.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎08-13-2015 09:04 AM

You can do it like this (but I don't know why you would like to do so):

index=ies_log ruleid=50513 earliest=-7d@d|eval start_time=relative_time(date,"-5m@m")|eval start_time=strftime(start_time, "%m/%d/%Y:%H:%M:%S")|eval end_time=strftime(date, "%m/%d/%Y:%H:%M:%S" ) | append [|noop | stats count AS sip| eval start_time=DEFAULT | eval end_time=DEFAULT | eval sip=DEFAULT | eval dip=DEFAULT | eval dport = DEFAULT] |fields start_time,end_time,sip,dip,dport |map search="search index=ies_log ruleid=20347 earliest=$start_time$ latest=$end_time$ sip=$sip$ dip=$dip$ dport=$dport$" maxsearches=10000|stats dc(dip)

It is not exactly what you asked, though, because the default will always run as the last map.

Reply
Solved! Jump to solution

caili
Path Finder
‎08-13-2015 10:22 PM

U resolved my question, thanks!

I can pass an invalid data to the arguments, so the last map can't search it.

If no default value given, then no event whose ruleid is 50513 is found, the search report error, but i want it returns 0.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-14-2015 07:24 AM

OK, so you have what you need then? If so, be sure to close the question by clicking "Accept".

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...
Top