Solved: Re: Rest search with map doesnt work as intended

splunkinator53 · ‎04-07-2025

This is the SPL i m using
| rest /servicesNS/-/-/saved/searches splunk_server=local
| fields title
| search title=Reports*
| eval dayEarliest="-1d@d", dayLatest="@d"
| map maxsearches=100000 search="savedsearch \"$title$\" etime=\"$dayEarliest$\" ltime=\"$dayLatest$\" | addinfo | collect index=INDEXNAME testmode=false | search"

Error i get:
[map]: No results to summary index.

Why?

livehybrid · ‎04-07-2025

Hi

Your map search is running saved searches with savedsearch command, but that command does not accept etime and ltime parameters.

Instead, use earliest and latest parameters:

| rest /servicesNS/-/-/saved/searches splunk_server=local
| fields title
| search title=Reports*
| eval dayEarliest="-1d@d", dayLatest="@d"
| map maxsearches=100 search="| savedsearch \"$title$\" earliest=\"$dayEarliest$\" latest=\"$dayLatest$\" | addinfo | collect index=INDEXNAME testmode=false"

Please note:

mapcan be slow or resource-intensive with many saved searches.
Ensure the saved searches are compatible with overridden time ranges (e.g. they might specify their own earliest/latest).
The collect command requires capabilities to allow writing to the target index.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

livehybrid · ‎04-07-2025

Hi

Your map search is running saved searches with savedsearch command, but that command does not accept etime and ltime parameters.

Instead, use earliest and latest parameters:

| rest /servicesNS/-/-/saved/searches splunk_server=local
| fields title
| search title=Reports*
| eval dayEarliest="-1d@d", dayLatest="@d"
| map maxsearches=100 search="| savedsearch \"$title$\" earliest=\"$dayEarliest$\" latest=\"$dayLatest$\" | addinfo | collect index=INDEXNAME testmode=false"

Please note:

mapcan be slow or resource-intensive with many saved searches.
Ensure the saved searches are compatible with overridden time ranges (e.g. they might specify their own earliest/latest).
The collect command requires capabilities to allow writing to the target index.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

splunkinator53 · ‎04-07-2025

Okay, thx for your reply! 🙂

Qst:

How would you construct the search, when you make a rest call and let all searches run then saving them in an index?

Which approach is better then map?

PickleRick · ‎04-07-2025

Well... this ia valid method but.

1) The map command can mean that you cause a big performance hit to your environment - it's gonna be spawning search after search....

2) In this particular case you indiscriminately run all searches matching a given pattern. You have no control about who defined those searches and what they do. That might not be the best idea. This could actually be a way for other user to abuse your privileges or at least unwillingly damage your environment. It's as if you were trying to find all executable files on your server and running them with sudo.

Let's imagine someone creates a search containing "index=* | delete" and your user has the can_delete capability. Or just create "index=* | collect sourcetype=some_non_stash_sourcetype". That's gonna hurt. Badly.

Rest search with map doesnt work as intended

eval

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?