Solved: How to trigger map only when variable value exists...

ibob0304 · ‎03-08-2018

This query capture the id from logs and make a search in the database, when there is a id value in logs it works well, if there is no id value the map condition trigger an error

 Error in 'map': Did not find value for required attribute 'id'.

query

 index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| where !isnull(id) 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

Is it possible to trigger dbxquery only when there is a id value ?

elliotproebstel · ‎03-08-2018

You can avoid returning an error by using fillnull to populate the field with an empty string:

index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| fillnull value="" id 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

View solution in original post

elliotproebstel · ‎03-08-2018

You can avoid returning an error by using fillnull to populate the field with an empty string:

index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| fillnull value="" id 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

How to trigger map only when variable value exists?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

How to trigger map only when variable value exists?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25