Solved: Search field names with spaces in map command inne...

ErikaE · ‎11-19-2015

I have data from a sourcetype that I am searching with a map command like so:

source=outersearch | map search="search source="innersource" | stats avg(Param)"

This search runs correctly and returns the expected number of events from innersource. However, I would like to be able to search for a fieldname with a space in the inner search source. i.e. "Field Name"="String Value". When I isolate the inner search, it works just fine. When I include it in the map string:

source=outersearch | map search="search source="innersource" "Field Name"="String Value" | stats avg(Param)"

The map search returns no results. The documentation says that the map search string is 'literal' but I can't find any documentation on what that means or how it constrains how the search has to be written.

woodcock · ‎11-19-2015

Try this (demonstrates multiple approaches):

 source=outersearch | map search="search source=\"innersource\" $Field Name$='String Value' | stats avg(Param)"

View solution in original post

woodcock · ‎11-19-2015

Try this (demonstrates multiple approaches):

 source=outersearch | map search="search source=\"innersource\" $Field Name$='String Value' | stats avg(Param)"

ErikaE · ‎11-24-2015

The escape character ended up working great, i.e.:

\"Field Name with Space\"

It took a little bit of fiddling to figure out which parts of the inner search were causing issues.

Search field names with spaces in map command inner search

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

Search field names with spaces in map command inner search

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk