- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Map search did not find value for required atr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Team,
map command is working for me but only with some fields.
For example:
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by host | map search="search host=$host$"
is working fine (i know it does not have much sense)
But for:
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress | map search="EndPointMACAddress=$EndPointMACAddress$"
I got error: Error in 'map': Did not find value for required attribute 'EndPointMACAddress'.
Why ? What is the difference in host and EndPointMACAddress ?
My raw event:
Aug 25 09:13:28 10.62.140.64 Aug 25 08:28:54 ise2-0-1 CISE_Profiler 0000000238 4 0 2016-08-25 08:28:54.231 +02:00 0000625546 80002 INFO Profiler: Profiler EndPoint profiling event occurred, ConfigVersionId=114, EndpointCertainityMetric=10, EndpointIPAddress=10.62.140.218, EndpointMacAddress=00:50:B6:11:EA:CE, EndpointMatchedPolicy=Workstation, EndpointNADAddress=10.62.140.16, EndpointOUI=GOOD WAY IND. CO.\, LTD., EndpointPolicy=Workstation, EndpointProperty=PolicyVersion=1\,49154-tcp=unknown\,AuthenticationIdentityStore=Internal Users\,EndPointPolicyID=7022f170-6d8e-11e5-978e-005056bf2f0a\,operating-system=Microsoft Windows Server 2008 SP1 (accuracy 96%)\,AuthenticationMethod=MSCHAPV2\,FirstCollection=1472106500025\,49155-tcp=unknown\,DestinationPort=1812\,CacheUpdateTime=1472106534199\,49153-tcp=unknown\,StaticAssignment=false\,User-Name=soc\,NmapScanCount=1\,SelectedAccessService=Default Network Access\,PostureExpiry=\,NetworkDeviceName=lab2-3850-1\,49156-tcp=unknown\,NAS-Port=50101\,DestinationIPAddress=10.62.140.64\,
Thanks,
Michal
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry it was my typoo, it looks like stats command arguments are case sensitive, so instead of EndPointMACAddress had to use EndpointMacAddress - working fine now 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry it was my typoo, it looks like stats command arguments are case sensitive, so instead of EndPointMACAddress had to use EndpointMacAddress - working fine now 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your successful search has search="search ...", your failing one does not have the search command. Try adding that and see if the outcome changes.
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress | map search="search EndPointMACAddress=$EndPointMACAddress$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may also want to sanity check the output of the search before the map command:
host="10.62.140.64" CISE_Profiler EndpointMatchedPolicy=Workstation EndPointMACAddress | stats count by EndPointMACAddress
What does that output look like?
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
