Solved: Re: Search field names with spaces in map command ...

ErikaE · ‎11-19-2015

I have data from a sourcetype that I am searching with a map command like so:

source=outersearch | map search="search source="innersource" | stats avg(Param)"

This search runs correctly and returns the expected number of events from innersource. However, I would like to be able to search for a fieldname with a space in the inner search source. i.e. "Field Name"="String Value". When I isolate the inner search, it works just fine. When I include it in the map string:

source=outersearch | map search="search source="innersource" "Field Name"="String Value" | stats avg(Param)"

The map search returns no results. The documentation says that the map search string is 'literal' but I can't find any documentation on what that means or how it constrains how the search has to be written.

woodcock · ‎11-19-2015

Try this (demonstrates multiple approaches):

 source=outersearch | map search="search source=\"innersource\" $Field Name$='String Value' | stats avg(Param)"

View solution in original post

woodcock · ‎11-19-2015

Try this (demonstrates multiple approaches):

 source=outersearch | map search="search source=\"innersource\" $Field Name$='String Value' | stats avg(Param)"

ErikaE · ‎11-24-2015

The escape character ended up working great, i.e.:

\"Field Name with Space\"

It took a little bit of fiddling to figure out which parts of the inner search were causing issues.

Search field names with spaces in map command inner search

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform