Problem with map command - Using search from looku...

astatrial · ‎05-06-2019

Hi all,
I am trying to run a map command that will run searches from a lookup one by one as follows :

| inputlookup "Correlation_searches.csv" 
| head 1
| map search="$check_search$"

The head 1 is just for debug purpose. The value of $check_search$ is the search.

For some reason i get the next error :

Unable to run query '"| tstats `summariesonly` count from 
datamodel=\"Change_Analysis.All_Changes\" where earliest=-7d@h latest=now 
nodename=\"All_Changes.Account_Management\" \"All_Changes.tag\"=\"delete\""'.

But i ran this search and it worked just fine:

| makeresults 1 
| map search="| tstats `summariesonly` count from datamodel=\"Change_Analysis.All_Changes\" 
where earliest=-7d@h latest=now nodename=\"All_Changes.Account_Management\" 
\"All_Changes.tag\"=\"delete\""

Thanks !

DavidHourani · ‎05-12-2019

Hi @astatrial,

The problem is not in your query but in your CSV file. Make sure the searches in the CSV file are not in quotes as that is what is breaking your search.

Cheers,
David

astatrial · ‎05-12-2019

Hi David.
Actually the csv file is fine. I think the problem is with the map command adding \ before the "

DavidHourani · ‎05-12-2019

No double quotes in the CSV file ?

astatrial · ‎05-12-2019

I checked and there aren't.

DavidHourani · ‎05-12-2019

Have a look here if it's the \ causing the problem : https://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Escape_the_.24_token_delimiter_charact...
You can try to escape your search token using |s or |n like : $check_search|s$

astatrial · ‎05-12-2019

Tried it but it didn't work. Thanks anyway.

woodcock · ‎05-07-2019

It is not obvious but if you look closely, you will see that there are double-quote characters getting in the way. The search that is getting run is this:

"| tstats `summariesonly` count from 
datamodel=\"Change_Analysis.All_Changes\" where earliest=-7d@h latest=now 
nodename=\"All_Changes.Account_Management\" \"All_Changes.tag\"=\"delete\""

Instead of your desire of this:

| tstats `summariesonly` count from 
datamodel="Change_Analysis.All_Changes" where earliest=-7d@h latest=now 
nodename="All_Changes.Account_Management" "All_Changes.tag"="delete"

The problem is discussed with my solution here:
https://answers.splunk.com/answers/719456/how-do-you-prevent-the-map-command-from-encapsulat.html
So try this:

| inputlookup "Correlation_searches.csv" 
| head 1
| map search="[|makeresults | eval check_search=$check_search$ | return $check_search]"

astatrial · ‎05-11-2019

Hi, thanks for your help.
That didn't work for some reason.
The result was the same as the first query (with the \" ).

woodcock · ‎05-12-2019

Escaping the double-quotes is absolutely necessary because the map clauses is always in double-quotes. Test my solution with a simpler search string that does not need/have any double-quotes. Try to eliminate variables.

somesoni2 · ‎05-06-2019

Does your lookup table field check_search has all the quotes/special character escaped? Would you mind pasing result of | inputlookup "Correlation_searches.csv" | head 1 here. Do remember to format the result using 101010 button in the editor here OR press Ctrl+K after selecting it. Also, scrub any sensitive data that you may have.

astatrial · ‎05-07-2019

The output of this command is :

check_search        
| tstats `summariesonly` count from datamodel="Change_Analysis.All_Changes" where earliest=-7d@h latest=now  nodename="All_Changes.Account_Management" "All_Changes.tag"="delete"

This is just a version of a built in correlation search, so there is nothing sensitive here. The check_search is the name of the column

Vijeta · ‎05-06-2019

@astarial - Try removing the quotes. map search=$check_search$

astatrial · ‎05-06-2019

already tried it, and got the same result.

Problem with map command - Using search from lookup

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies