Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Map search did not find value for required atribut...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Team,
map command is working for me but only with some fields.
For example:
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by host | map search="search host=$host$"
is working fine (i know it does not have much sense)
But for:
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress | map search="EndPointMACAddress=$EndPointMACAddress$"
I got error: Error in 'map': Did not find value for required attribute 'EndPointMACAddress'.
Why ? What is the difference in host and EndPointMACAddress ?
My raw event:
Aug 25 09:13:28 10.62.140.64 Aug 25 08:28:54 ise2-0-1 CISE_Profiler 0000000238 4 0 2016-08-25 08:28:54.231 +02:00 0000625546 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=114, EndpointCertainityMetric=10, EndpointIPAddress=10.62.140.218, EndpointMacAddress=00:50:B6:11:EA:CE, EndpointMatchedPolicy=Workstation, EndpointNADAddress=10.62.140.16, EndpointOUI=GOOD WAY IND. CO.\, LTD., EndpointPolicy=Workstation, EndpointProperty=PolicyVersion=1\,49154-tcp=unknown\,AuthenticationIdentityStore=Internal Users\,EndPointPolicyID=7022f170-6d8e-11e5-978e-005056bf2f0a\,operating-system=Microsoft Windows Server 2008 SP1 (accuracy 96%)\,AuthenticationMethod=MSCHAPV2\,FirstCollection=1472106500025\,49155-tcp=unknown\,DestinationPort=1812\,CacheUpdateTime=1472106534199\,49153-tcp=unknown\,StaticAssignment=false\,User-Name=soc\,NmapScanCount=1\,SelectedAccessService=Default Network Access\,PostureExpiry=\,NetworkDeviceName=lab2-3850-1\,49156-tcp=unknown\,NAS-Port=50101\,DestinationIPAddress=10.62.140.64\,
Thanks,
Michal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry it was my typoo, it looks like stats command arguments are case sensitive, so instead of EndPointMACAddress had to use EndpointMacAddress - working fine now 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry it was my typoo, it looks like stats command arguments are case sensitive, so instead of EndPointMACAddress had to use EndpointMacAddress - working fine now 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your successful search has search="search ...", your failing one does not have the search command. Try adding that and see if the outcome changes.
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress | map search="search EndPointMACAddress=$EndPointMACAddress$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may also want to sanity check the output of the search before the map command:
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress
What does that output look like?
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
