Solved: How to trigger map only when variable value exists...

ibob0304 · ‎03-08-2018

This query capture the id from logs and make a search in the database, when there is a id value in logs it works well, if there is no id value the map condition trigger an error

 Error in 'map': Did not find value for required attribute 'id'.

query

 index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| where !isnull(id) 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

Is it possible to trigger dbxquery only when there is a id value ?

elliotproebstel · ‎03-08-2018

You can avoid returning an error by using fillnull to populate the field with an empty string:

index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| fillnull value="" id 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

View solution in original post

elliotproebstel · ‎03-08-2018

You can avoid returning an error by using fillnull to populate the field with an empty string:

index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| fillnull value="" id 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

How to trigger map only when variable value exists?

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

Application management with Targeted Application Install for Victoria Experience

Join the Conversation

How to trigger map only when variable value exists?

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

Application management with Targeted Application Install for Victoria Experience