I have a query that uses map and subsearch inside map command as below:
index=myindex
| eval email="email@xyz.com"
| dedup email
| table email
| map search " index=myindex sourcetype=mysourcetype
[search index=myindex \"$email$\"
| fields message_session_id
| dedup message_session_id ]
| transaction message_session_id maxspan=30s
| rename _time as time, tag::eventtype as eventtype, src as src_ip, size as total_size, filename as attachments, file_size as attachment_size, orig_src as sender
| table time, sender, recipient, src_user, subject, attachments, attachment_size, tag, eventtype, src_ip, signature_id, total_size, message_id, qid, message_session_id, process, protocol, orig_recipient, message_id, action, filter_action, filter_score, av, signature" maxsearches=1000
The first four lines are for test purpose. The actual query is different. For my problem this is fine.
When I'm running this query I am getting the error message like "Error in 'map' command: Unable to find saved search 'search'."
It seems that the inner subsearch has a problem. Could anybody please help me here?
Thanks in advance.
Try this!
| map search " index=myindex sourcetype=mysourcetype
↓
| map search="search index=myindex sourcetype=mysourcetype
You almost certainly don't want solve this issue with map and subsearch. You may not even want to use map without subsearch.
I know mail logs are awful. I've had to do a lot of customization and summarization to solve my past mail log needs. I would probably suggest you post a new question, asking in general, "here's what my data looks like, and here's what I need to search and what I need to get out of it, how can I do that?".
Really, I feel your pain on this. Mail logs are the devil.
I'm using map because there is a list of emails for which we need to search this. So I wanted to create a loop over those emails. I just want to know if there is any limitation in using subsearch inside a map command like this? It's providing an error which should not be. It would be better if you could provide me answer why I'm getting this error. I'm mostly worried about the syntax of this map command.
I really do understand why you went down this path. I'm not judging you, I've gone through this and other vicious searches for mail logs.
In regards to not posting an answer, that's why I posted this only as a comment. I really don't want to come across as rude, but having been through the trials and tribulations of mail logs I know firsthand that this method is quickly going to fail to meet your needs.
Try this!
| map search " index=myindex sourcetype=mysourcetype
↓
| map search="search index=myindex sourcetype=mysourcetype
no it's not working... getting the same error message.
I made a mistake. The search sentence was corrected.
This is because it was regarded as a saved search due to a parameter mistake.
You can also use "$email$" in the sub search of the map command.
Thank you ... this solution works..