Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using the map command with a subsearch not working

phant0m
Observer
‎02-18-2025 09:03 AM

Hello all, new poster here. I have a csv file with a column full of Splunk queries. I am trying to enrich my Splunk instance with the data from the csv file via the following command: 

 

 

 

index="index1" 
    [ inputlookup rules.csv 
    | eval search = if(boolean=="FALSE","\""+rule+"\"",rule) 
    | return 10000 $search] 
| fields _time index 
| eval time_token = "_time=" + _time 
| eval index_token = "index=" + index 
| stats values(time_token) AS time_token values(index_token) AS index_token 
| eval time_token=mvjoin(time_token," OR ") 
| eval index_token=mvjoin(index_token," OR ") 
| append 
    [ inputlookup rules.csv 
    | eval rule = if(boolean=="FALSE","\""+rule+"\"",rule) 
    | return 10000 $rule] 
| eventstats first(time_token) AS time_token first(index_token) AS index_token 
| search rule=* 
| map maxsearches=100 search="search
    [| makeresults 
    | eval search= \"$time_token$ $index_token$ $rule$\" 
    | return $search] 
    | eval rule_found=\"$rule$\", rule_id=\"$id$\""

 

 

 

The problem I am having is with the "map" command. everything after the second "search" is greyed out and not being included in the search. I have been able to get the following portion of the code working: 

 

 

index="index1" 
    [ inputlookup rules.csv 
    | eval search = if(boolean=="FALSE","\""+rule+"\"",rule) 
    | return 10000 $search] 
| fields _time index 
| eval time_token = "_time=" + _time 
| eval index_token = "index=" + index 
| stats values(time_token) AS time_token values(index_token) AS index_token 
| eval time_token=mvjoin(time_token," OR ") 
| eval index_token=mvjoin(index_token," OR ") 
| append 
    [ inputlookup rules.csv 
    | eval rule = if(boolean=="FALSE","\""+rule+"\"",rule) 
    | return 10000 $rule] 
| eventstats first(time_token) AS time_token first(index_token) AS index_token 
| search rule=*

 

 

 

Thank you for any suggestions you have to get this search working.

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-18-2025 09:21 PM

As many here will tell you, map is probably the wrong answer to the problem you are trying to solve.  That aside, you need to clarify what "not working", "problem ... with 'map' command" mean, how does "things" grey out, etc. (In which window, for example, do "things" grey out?)

It is atypical to use a makeresults subsearch to produce search terms inside a map command.  But I think I get that return search should be interpreted verbatim by the compiler.   My wild guess is that the search inside the map command does not return any result.  Is this the case?  It seems that the map command can be simplified to

| map maxsearches=100 search="search $time_token$ $index_token$ $rule$
  | eval rule_found=\"$rule$\", rule_id=\"$id$\""

If this is semantically correct, try turning substitute select values of time_token, index_token and rule from earlier search, and perform the mapped search manually for diagnosis.  Hope this helps. (Still, there might be more elegant and less error-prone method than using map command to solve the problem you are attacking.)

0 Karma
Reply

phant0m
Observer
‎02-19-2025 08:26 AM

Thank you @yuanliu for your insightful response! The csv file contains 3 columns, "id", "rule", and "Boolean". The id column just identifies which "rule" fired. The "id" column is just a text string to identify the rule that fired.

The "rule" column is a Splunk rule (IE: "/user:" AND pwd)  that either contains a Boolean operator (AND, OR, NOT) or does not contain a Boolean operator.

The "boolean" column just says TRUE or FALSE as to whether the preceding "rules" column contains a boolean. 

I agree with you that the "map" command may not be the best command for what I am trying to do. So far this search string does generate results: 

index="index1" 
    [ inputlookup rules.csv 
    | eval search = if(boolean="FALSE","\""+rule+"\"",rule) 
    | return 10000 $search] 
| head 5 
| fields _time index 
| eval time_token = "_time=" + _time 
    , index_token = "index=" + index 
| stats values(time_token) AS time_token values(index_token) AS index_token 
| eval time_token=mvjoin(time_token," OR ") 
    , index_token=mvjoin(index_token," OR ") 
| append 
    [ inputlookup rules.csv 
    | eval rule = if(boolean="FALSE","\""+rule+"\"",rule)] 
| eventstats first(time_token) AS time_token first(index_token) AS index_token 
| search rule=*

 

And shows a "time_token" and "index_token" for each time and index that contains a match to one of the rules in the csv file. My attempt with the "map" command was to then map the rule to the event in Splunk to identify which rule fired on which event. Do you have a suggestion for something that could work better? 

0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
Top