Splunk Search

Map search did not find value for required atribute

teknet9
Path Finder

Hello Team,

map command is working for me but only with some fields.
For example:
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by host | map search="search host=$host$"
is working fine (i know it does not have much sense)

But for:
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress | map search="EndPointMACAddress=$EndPointMACAddress$"

I got error: Error in 'map': Did not find value for required attribute 'EndPointMACAddress'.

Why ? What is the difference in host and EndPointMACAddress ?

My raw event:
Aug 25 09:13:28 10.62.140.64 Aug 25 08:28:54 ise2-0-1 CISE_Profiler 0000000238 4 0 2016-08-25 08:28:54.231 +02:00 0000625546 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=114, EndpointCertainityMetric=10, EndpointIPAddress=10.62.140.218, EndpointMacAddress=00:50:B6:11:EA:CE, EndpointMatchedPolicy=Workstation, EndpointNADAddress=10.62.140.16, EndpointOUI=GOOD WAY IND. CO.\, LTD., EndpointPolicy=Workstation, EndpointProperty=PolicyVersion=1\,49154-tcp=unknown\,AuthenticationIdentityStore=Internal Users\,EndPointPolicyID=7022f170-6d8e-11e5-978e-005056bf2f0a\,operating-system=Microsoft Windows Server 2008 SP1 (accuracy 96%)\,AuthenticationMethod=MSCHAPV2\,FirstCollection=1472106500025\,49155-tcp=unknown\,DestinationPort=1812\,CacheUpdateTime=1472106534199\,49153-tcp=unknown\,StaticAssignment=false\,User-Name=soc\,NmapScanCount=1\,SelectedAccessService=Default Network Access\,PostureExpiry=\,NetworkDeviceName=lab2-3850-1\,49156-tcp=unknown\,NAS-Port=50101\,DestinationIPAddress=10.62.140.64\,

Thanks,
Michal

Tags (2)
0 Karma
1 Solution

teknet9
Path Finder

Sorry it was my typoo, it looks like stats command arguments are case sensitive, so instead of EndPointMACAddress had to use EndpointMacAddress - working fine now 🙂

View solution in original post

0 Karma

teknet9
Path Finder

Sorry it was my typoo, it looks like stats command arguments are case sensitive, so instead of EndPointMACAddress had to use EndpointMacAddress - working fine now 🙂

0 Karma

micahkemp
Champion

Your successful search has search="search ...", your failing one does not have the search command. Try adding that and see if the outcome changes.

host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress | map search="search EndPointMACAddress=$EndPointMACAddress$"

0 Karma

micahkemp
Champion

You may also want to sanity check the output of the search before the map command:

host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress

What does that output look like?

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...