Splunk Search

Problem with map command - Using search from lookup

Communicator

Hi all,
I am trying to run a map command that will run searches from a lookup one by one as follows :

| inputlookup "Correlation_searches.csv" 
| head 1
| map search="$check_search$"

The head 1 is just for debug purpose. The value of $check_search$ is the search.

For some reason i get the next error :

Unable to run query '"| tstats `summariesonly` count from 
datamodel=\"Change_Analysis.All_Changes\" where earliest=-7d@h latest=now 
nodename=\"All_Changes.Account_Management\" \"All_Changes.tag\"=\"delete\""'.

But i ran this search and it worked just fine:

| makeresults 1 
| map search="| tstats `summariesonly` count from datamodel=\"Change_Analysis.All_Changes\" 
where earliest=-7d@h latest=now nodename=\"All_Changes.Account_Management\" 
\"All_Changes.tag\"=\"delete\""

Thanks !

0 Karma

SplunkTrust
SplunkTrust

Hi @astatrial,

The problem is not in your query but in your CSV file. Make sure the searches in the CSV file are not in quotes as that is what is breaking your search.

Cheers,
David

0 Karma

Communicator

Hi David.
Actually the csv file is fine. I think the problem is with the map command adding \ before the "

0 Karma

SplunkTrust
SplunkTrust

No double quotes in the CSV file ?

0 Karma

Communicator

I checked and there aren't.

0 Karma

SplunkTrust
SplunkTrust

Have a look here if it's the \ causing the problem : https://docs.splunk.com/Documentation/Splunk/6.5.0/Viz/tokens#Escape_the_.24_token_delimiter_charact...
You can try to escape your search token using |s or |n like : $check_search|s$

0 Karma

Communicator

Tried it but it didn't work. Thanks anyway.

0 Karma

Esteemed Legend

It is not obvious but if you look closely, you will see that there are double-quote characters getting in the way. The search that is getting run is this:

"| tstats `summariesonly` count from 
datamodel=\"Change_Analysis.All_Changes\" where earliest=-7d@h latest=now 
nodename=\"All_Changes.Account_Management\" \"All_Changes.tag\"=\"delete\""

Instead of your desire of this:

| tstats `summariesonly` count from 
datamodel="Change_Analysis.All_Changes" where earliest=-7d@h latest=now 
nodename="All_Changes.Account_Management" "All_Changes.tag"="delete"

The problem is discussed with my solution here:
https://answers.splunk.com/answers/719456/how-do-you-prevent-the-map-command-from-encapsulat.html
So try this:

| inputlookup "Correlation_searches.csv" 
| head 1
| map search="[|makeresults | eval check_search=$check_search$ | return $check_search]"
0 Karma

Communicator

Hi, thanks for your help.
That didn't work for some reason.
The result was the same as the first query (with the \" ).

0 Karma

Esteemed Legend

Escaping the double-quotes is absolutely necessary because the map clauses is always in double-quotes. Test my solution with a simpler search string that does not need/have any double-quotes. Try to eliminate variables.

SplunkTrust
SplunkTrust

Does your lookup table field check_search has all the quotes/special character escaped? Would you mind pasing result of | inputlookup "Correlation_searches.csv" | head 1 here. Do remember to format the result using 101010 button in the editor here OR press Ctrl+K after selecting it. Also, scrub any sensitive data that you may have.

0 Karma

Communicator

The output of this command is :

check_search        
| tstats `summariesonly` count from datamodel="Change_Analysis.All_Changes" where earliest=-7d@h latest=now  nodename="All_Changes.Account_Management" "All_Changes.tag"="delete"

This is just a version of a built in correlation search, so there is nothing sensitive here. The check_search is the name of the column

0 Karma

Influencer

@astarial - Try removing the quotes. map search=$check_search$

0 Karma

Communicator

already tried it, and got the same result.

0 Karma