Solved: How to trigger map only when variable value exists...

ibob0304 · ‎03-08-2018

This query capture the id from logs and make a search in the database, when there is a id value in logs it works well, if there is no id value the map condition trigger an error

 Error in 'map': Did not find value for required attribute 'id'.

query

 index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| where !isnull(id) 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

Is it possible to trigger dbxquery only when there is a id value ?

elliotproebstel · ‎03-08-2018

You can avoid returning an error by using fillnull to populate the field with an empty string:

index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| fillnull value="" id 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

View solution in original post

elliotproebstel · ‎03-08-2018

You can avoid returning an error by using fillnull to populate the field with an empty string:

index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| fillnull value="" id 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

How to trigger map only when variable value exists?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant

Join the Conversation

How to trigger map only when variable value exists?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Accelerating Observability as Code with the Splunk AI Assistant