Splunk Search

What is wrong with this "map" command search?

arjunpkishore5
Motivator

I'm facing a very strange situation. I have simplified it to just where the problem is ocurring
Check out the below 2 searches:

| makeresults
| map search="| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"

This one works fine.

However, the below search fails:

 | makeresults
 | eval base_search="| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"
 | map search="$base_search$"

The error which I'm getting is:

Unable to run query '"| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"'

Note: The base_search is being loaded from a lookup file in the original code. I have simplified it to make the understanding simpler

1 Solution

arjunpkishore5
Motivator

Thank you everyone for your responses.

So it looks like there is no straightforward way to do this. For now, the solution I implemented is to write a custom command which executes a query from an incoming column.

I'll keep this thread alive for 2 more days. IF someone has a better approach, please let me know. If not I'll mark this as the answer.

View solution in original post

0 Karma

arjunpkishore5
Motivator

Thank you everyone for your responses.

So it looks like there is no straightforward way to do this. For now, the solution I implemented is to write a custom command which executes a query from an incoming column.

I'll keep this thread alive for 2 more days. IF someone has a better approach, please let me know. If not I'll mark this as the answer.

0 Karma

landen99
Motivator

Map does not seem like your variable having quotes around it due to the presence of spaces. That said, I hardly ever recommend "map". I would doubtless recommend a different command if I understood your use case better.

But to answer this question directly, try using a macro to avoid the quotes:

macro

[base_search]
definition =  makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]

search:

 | makeresults
 | map search="| `base_search`"

Using the brackets map definition if your basesearch ever needs to have double quotes in it:

| makeresults
| map [| `base_search`]
0 Karma

arjunpkishore5
Motivator

Thank you.

The problem however is that the base_search comes from a lookup file. I simplified the question so as to avoid the complicated query in the original

|inputlookup base_queries where _key=some_key_value
|map search=$base_search$

0 Karma

hok2010
New Member

hi arjun,

only map command take query in qoutes,
here eval is assigning the your query as string on the field "basesearch"

one alternative you can try is to create a marco for your query in setting>advanced search > add new macro

then you can call it with basesearch

0 Karma

arjunpkishore5
Motivator

Not sure how to work around with a macro. In the original problem, the base_search is being loaded from a lookup file. This does work for some queries and doesn't work for others.

In the real problem, the search query would look something like this

|inputlookup base_queries where _key=some_key_value
|map search=$base_search$

0 Karma

niketn
Legend

@arjunpkishore5 is this for Dashboard or Saved Search?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@arjunpkishore5 is this requirement for Dashboard or Report?
As per the details your lookup file has SPL that you want to execute? Can you share few sample events from the lookup? Also what is the condition for pulling specific SPL from lookup execution of queries?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

arjunpkishore5
Motivator

This is within a saved search. The query is pulled from a lookup file based on the key passed as a parameter.

The base search mentioned in the original question is an example. It could be literally any valid spl query.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...