Solved: How to trigger map only when variable value exists...

ibob0304 · ‎03-08-2018

This query capture the id from logs and make a search in the database, when there is a id value in logs it works well, if there is no id value the map condition trigger an error

 Error in 'map': Did not find value for required attribute 'id'.

query

 index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| where !isnull(id) 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

Is it possible to trigger dbxquery only when there is a id value ?

elliotproebstel · ‎03-08-2018

You can avoid returning an error by using fillnull to populate the field with an empty string:

index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| fillnull value="" id 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

View solution in original post

elliotproebstel · ‎03-08-2018

You can avoid returning an error by using fillnull to populate the field with an empty string:

index=*sourcetype=* "Invalid" 
| rex field=_raw ".*for\sinvalid\s(?<id>.*?(?=:))" 
| table id
| fillnull value="" id 
| map maxsearches=5 search="dbxquery query=\"select id, name,cell,email, date from idx where id='$id$'\" connection=sql"

How to trigger map only when variable value exists?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

How to trigger map only when variable value exists?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES