Splunk Search

Map search did not find value for required atribute

teknet9
Path Finder

Hello Team,

map command is working for me but only with some fields.
For example:
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by host | map search="search host=$host$"
is working fine (i know it does not have much sense)

But for:
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress | map search="EndPointMACAddress=$EndPointMACAddress$"

I got error: Error in 'map': Did not find value for required attribute 'EndPointMACAddress'.

Why ? What is the difference in host and EndPointMACAddress ?

My raw event:
Aug 25 09:13:28 10.62.140.64 Aug 25 08:28:54 ise2-0-1 CISE_Profiler 0000000238 4 0 2016-08-25 08:28:54.231 +02:00 0000625546 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=114, EndpointCertainityMetric=10, EndpointIPAddress=10.62.140.218, EndpointMacAddress=00:50:B6:11:EA:CE, EndpointMatchedPolicy=Workstation, EndpointNADAddress=10.62.140.16, EndpointOUI=GOOD WAY IND. CO.\, LTD., EndpointPolicy=Workstation, EndpointProperty=PolicyVersion=1\,49154-tcp=unknown\,AuthenticationIdentityStore=Internal Users\,EndPointPolicyID=7022f170-6d8e-11e5-978e-005056bf2f0a\,operating-system=Microsoft Windows Server 2008 SP1 (accuracy 96%)\,AuthenticationMethod=MSCHAPV2\,FirstCollection=1472106500025\,49155-tcp=unknown\,DestinationPort=1812\,CacheUpdateTime=1472106534199\,49153-tcp=unknown\,StaticAssignment=false\,User-Name=soc\,NmapScanCount=1\,SelectedAccessService=Default Network Access\,PostureExpiry=\,NetworkDeviceName=lab2-3850-1\,49156-tcp=unknown\,NAS-Port=50101\,DestinationIPAddress=10.62.140.64\,

Thanks,
Michal

Tags (2)
0 Karma
1 Solution

teknet9
Path Finder

Sorry it was my typoo, it looks like stats command arguments are case sensitive, so instead of EndPointMACAddress had to use EndpointMacAddress - working fine now 🙂

View solution in original post

0 Karma

teknet9
Path Finder

Sorry it was my typoo, it looks like stats command arguments are case sensitive, so instead of EndPointMACAddress had to use EndpointMacAddress - working fine now 🙂

0 Karma

micahkemp
Champion

Your successful search has search="search ...", your failing one does not have the search command. Try adding that and see if the outcome changes.

host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress | map search="search EndPointMACAddress=$EndPointMACAddress$"

0 Karma

micahkemp
Champion

You may also want to sanity check the output of the search before the map command:

host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress

What does that output look like?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...