Solved: How to trigger map only when variable value exists...

ibob0304 · ‎03-08-2018

This query capture the id from logs and make a search in the database, when there is a id value in logs it works well, if there is no id value the map condition trigger an error

 Error in 'map': Did not find value for required attribute 'id'.

query

 index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| where !isnull(id) 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

Is it possible to trigger dbxquery only when there is a id value ?

elliotproebstel · ‎03-08-2018

You can avoid returning an error by using fillnull to populate the field with an empty string:

index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| fillnull value="" id 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

View solution in original post

elliotproebstel · ‎03-08-2018

You can avoid returning an error by using fillnull to populate the field with an empty string:

index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| fillnull value="" id 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

How to trigger map only when variable value exists?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation