Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you prevent the map command from encapsulating the variable in quotes?

quasikaze
Explorer
‎01-28-2019 09:09 AM

The quotes can only be seen in the search.log in one of the SearchParser component events.

My ultimate goal is to be able to pass a single field with an arbitrary number of values through map to the same variable in multiple sections of the subsearch, one of which is specifically in the by section of a tstats. The examples below are proofs-of-concept to illustrate the problem. I've tried other approaches including tokens, not that there's a token to remove quotes, but have obviously been unsuccessful in my various attempts.

Ex #1: Value End Up Quoted & Does Not Work

<pre>| makeresults
| eval test = "sourcetype,host"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"</pre>

Ex #2: Does Not Quote Value & Works

<pre>| makeresult
| eval test = "sourcetype"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"</pre>

Here's an alternative approach I tested, but it only seems to execute whatever is in the first record of the nested subsearch, which in this case is "sourcetype,host".

Ex #3: "by" Subsearch

<pre>| makeresults 
| fields sourcetype, host, lastTime 
| map 
    [| tstats latest(_time) AS lastTime WHERE index=_internal by 
        [| makeresults count=2 
        | streamstats count AS counter 
        | eval search = if(counter=1, "sourcetype,host", "sourcetype") 
        | fields - _time, counter ] 
        ]</pre>

Any thoughts?

Note: I did see the post "Why is there a problem when passing a command through a variable in map-command?", but it doesn't really help in this situation seeing as it doesn't solve how to do it in the by section. At least, if it does, I missed it.

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-28-2019 02:50 PM

This is a difficult problem that took me forever to figure out but once I show you the trick, you are going to kick yourself. You cannot stop map from doing this, but you can work around it; you need to use both a subsearch and a map like this:

| makeresults
| eval test = "sourcetype,host"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by [|makeresults | eval test=$test$ | return $test]"

BOOM! (That is the sound of the microphone that I dropped hitting my foot).

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-28-2019 02:58 PM

You took my suggestion to just add a subsearch but missed it by >that< much!

Reply
Solved! Jump to solution

quasikaze
Explorer
‎01-29-2019 08:01 AM

lol! That's actually what I tried a couple days earlier when talking back and forth with daljeanis. When I saw your comment about that, I had already forgotten about it and had no idea where you were talking about adding a subsearch or what to even put in it and just confusingly dismissed it. :facepalm: There's absolutely no way I would've solved it without your help! I've never had reason to use return, so I completely forgot it even existed! I've been working this issue off and on for months, so to finally have a solution is inspiring. Thanks again!

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-29-2019 08:44 AM

I feel your pain. I had the same experience. I absolutely had to make it work. It took me weeks and then God pushed the idea into my head; it just clicked! I solved it in my mind and I knew that it would work before I even tested it.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎01-28-2019 02:50 PM

This is a difficult problem that took me forever to figure out but once I show you the trick, you are going to kick yourself. You cannot stop map from doing this, but you can work around it; you need to use both a subsearch and a map like this:

| makeresults
| eval test = "sourcetype,host"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by [|makeresults | eval test=$test$ | return $test]"

BOOM! (That is the sound of the microphone that I dropped hitting my foot).

Reply
Solved! Jump to solution

quasikaze
Explorer
‎01-29-2019 07:48 AM

This is what I needed! Thank you!

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-29-2019 04:53 PM

Tokens, tokens, everywhere! I shudder to think of how this will look as a dashboard panel!

0 Karma
Reply
Solved! Jump to solution

pierrealex
Engager
‎04-06-2023 08:10 AM

Thank you so much

I didn't undestand the tricks with `return $test` and why only one $

But this make the job!

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎01-28-2019 09:24 AM

Did you try using
\"$test$\" instead of $test$ in your second example?

0 Karma
Reply
Solved! Jump to solution

quasikaze
Explorer
‎01-28-2019 10:58 AM

Yeah. No luck there. Thanks though!

0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...