Solved: Issue with using "search IN" command within map

Kristian_86 · ‎11-30-2023

Hello,
I have the following issue, do you know any solution or workaround?
(Or maybe I declared something wrongly...)
When using a comma separated field values in MAP within the IN command, it is not working from the outer search. But when I write out the value of that outside field, it is recognized.

| makeresults
| eval ips="a,c,x"
| map [
  | makeresults
  | append [ makeresults | eval ips="a", label="aaa" ]
  | append [ makeresults | eval ips="b", label="bbb" ]
  | append [ makeresults | eval ips="c", label="ccc" ]
  | append [ makeresults | eval ips="d", label="ddd" ]
  ```| search ips IN ($ips$)```           ```NOT WORKING```
  | search ips IN (a,c,x)           ```WORKING```
  | eval outer_ips=$ips$
] maxsearches=10

bowesmana · ‎11-30-2023

Most likely because the substitution is passing $ips$ as the string "a,c,x" and if you search for

| search ips IN ("a,c,x")

you also get no results

You could do it differently using where, for example this works

| eval outer_ips=split($ips$, ",")
| where ips=outer_ips

or this

| where match($ips$, ips)

assuming your use case is IP addresses, the where option also allows for cirdmatch if that is useful.

View solution in original post

bowesmana · ‎11-30-2023

Most likely because the substitution is passing $ips$ as the string "a,c,x" and if you search for

| search ips IN ("a,c,x")

you also get no results

You could do it differently using where, for example this works

| eval outer_ips=split($ips$, ",")
| where ips=outer_ips

or this

| where match($ips$, ips)

assuming your use case is IP addresses, the where option also allows for cirdmatch if that is useful.

Kristian_86 · ‎12-04-2023

Thank you for your answer, it helped me out. 🙂
The final version was a bit more trickier as in the ips field can be an "*" instead of any listed values and in that case any of the found values should be considered.
So this was the final solution:

| makeresults
| eval ips="a,c,x"
```| eval ips="*"```
| eval ips=replace(ips, "\*", "%")
| map [
  | makeresults
  | append [ makeresults | eval ips="a", label="aaa" ]
  | append [ makeresults | eval ips="b", label="bbb" ]
  | append [ makeresults | eval ips="c", label="ccc" ]
  | append [ makeresults | eval ips="d", label="ddd" ]
  | eval outer_ips=split("$ips$", ",")
  | where (ips=outer_ips OR LIKE(ips, "$ips$"))
```with the above conditon when only a * (%) is there as a value it will catch it with the LIKE. when some other value then the first condition will catch the proper events)```
] maxsearches=10

bowesmana · ‎12-04-2023

Just as an aside on the use of map, note that it is not a practical command for use on large datasets, as each map result gets executed in its own serial search, so it can take time and depending on the search can cause a lot of overhead to iterate through large result sets.

Often there is an alternative way to write the search (but not always). Depends on the use case.

Issue with using "search IN" command within map

lookup

subsearch

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

Video | Tom’s Smartness Journey Continues

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?