Hi all,
I am trying to run a map command that will run searches from a lookup one by one as follows :
| inputlookup "Correlation_searches.csv"
| head 1
| map search="$check_search$"
The head 1 is just for debug purpose. The value of $check_search$ is the search.
For some reason i get the next error :
Unable to run query '"| tstats `summariesonly` count from
datamodel=\"Change_Analysis.All_Changes\" where earliest=-7d@h latest=now
nodename=\"All_Changes.Account_Management\" \"All_Changes.tag\"=\"delete\""'.
But i ran this search and it worked just fine:
| makeresults 1
| map search="| tstats `summariesonly` count from datamodel=\"Change_Analysis.All_Changes\"
where earliest=-7d@h latest=now nodename=\"All_Changes.Account_Management\"
\"All_Changes.tag\"=\"delete\""
Thanks !
Hi @astatrial,
The problem is not in your query but in your CSV file. Make sure the searches in the CSV file are not in quotes as that is what is breaking your search.
Cheers,
David
Hi David.
Actually the csv file is fine. I think the problem is with the map command adding \ before the "
No double quotes in the CSV file ?
I checked and there aren't.
Have a look here if it's the \ causing the problem : https://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Escape_the_.24_token_delimiter_charact...
You can try to escape your search token using |s or |n like : $check_search|s$
Tried it but it didn't work. Thanks anyway.
It is not obvious but if you look closely, you will see that there are double-quote
characters getting in the way. The search that is getting run is this:
"| tstats `summariesonly` count from
datamodel=\"Change_Analysis.All_Changes\" where earliest=-7d@h latest=now
nodename=\"All_Changes.Account_Management\" \"All_Changes.tag\"=\"delete\""
Instead of your desire of this:
| tstats `summariesonly` count from
datamodel="Change_Analysis.All_Changes" where earliest=-7d@h latest=now
nodename="All_Changes.Account_Management" "All_Changes.tag"="delete"
The problem is discussed with my solution here:
https://answers.splunk.com/answers/719456/how-do-you-prevent-the-map-command-from-encapsulat.html
So try this:
| inputlookup "Correlation_searches.csv"
| head 1
| map search="[|makeresults | eval check_search=$check_search$ | return $check_search]"
Hi, thanks for your help.
That didn't work for some reason.
The result was the same as the first query (with the \" ).
Escaping the double-quotes is absolutely necessary because the map clauses is always in double-quotes. Test my solution with a simpler search string that does not need/have any double-quotes. Try to eliminate variables.
Does your lookup table field check_search has all the quotes/special character escaped? Would you mind pasing result of | inputlookup "Correlation_searches.csv" | head 1
here. Do remember to format the result using 101010
button in the editor here OR press Ctrl+K after selecting it. Also, scrub any sensitive data that you may have.
The output of this command is :
check_search
| tstats `summariesonly` count from datamodel="Change_Analysis.All_Changes" where earliest=-7d@h latest=now nodename="All_Changes.Account_Management" "All_Changes.tag"="delete"
This is just a version of a built in correlation search, so there is nothing sensitive here. The check_search is the name of the column
@astarial - Try removing the quotes. map search=$check_search$
already tried it, and got the same result.