Splunk Search

What is wrong with this "map" command search?

Motivator

I'm facing a very strange situation. I have simplified it to just where the problem is ocurring
Check out the below 2 searches:

| makeresults
| map search="| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"

This one works fine.

However, the below search fails:

 | makeresults
 | eval base_search="| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"
 | map search="$base_search$"

The error which I'm getting is:

Unable to run query '"| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"'

Note: The base_search is being loaded from a lookup file in the original code. I have simplified it to make the understanding simpler

1 Solution

Motivator

Thank you everyone for your responses.

So it looks like there is no straightforward way to do this. For now, the solution I implemented is to write a custom command which executes a query from an incoming column.

I'll keep this thread alive for 2 more days. IF someone has a better approach, please let me know. If not I'll mark this as the answer.

View solution in original post

0 Karma

Motivator

Thank you everyone for your responses.

So it looks like there is no straightforward way to do this. For now, the solution I implemented is to write a custom command which executes a query from an incoming column.

I'll keep this thread alive for 2 more days. IF someone has a better approach, please let me know. If not I'll mark this as the answer.

View solution in original post

0 Karma

Motivator

Map does not seem like your variable having quotes around it due to the presence of spaces. That said, I hardly ever recommend "map". I would doubtless recommend a different command if I understood your use case better.

But to answer this question directly, try using a macro to avoid the quotes:

macro

[base_search]
definition =  makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]

search:

 | makeresults
 | map search="| `base_search`"

Using the brackets map definition if your basesearch ever needs to have double quotes in it:

| makeresults
| map [| `base_search`]
0 Karma

Motivator

Thank you.

The problem however is that the base_search comes from a lookup file. I simplified the question so as to avoid the complicated query in the original

|inputlookup base_queries where _key=some_key_value
|map search=$base_search$

0 Karma

New Member

hi arjun,

only map command take query in qoutes,
here eval is assigning the your query as string on the field "basesearch"

one alternative you can try is to create a marco for your query in setting>advanced search > add new macro

then you can call it with basesearch

0 Karma

Motivator

Not sure how to work around with a macro. In the original problem, the base_search is being loaded from a lookup file. This does work for some queries and doesn't work for others.

In the real problem, the search query would look something like this

|inputlookup base_queries where _key=some_key_value
|map search=$base_search$

0 Karma

Legend

@arjunpkishore5 is this for Dashboard or Saved Search?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Legend

@arjunpkishore5 is this requirement for Dashboard or Report?
As per the details your lookup file has SPL that you want to execute? Can you share few sample events from the lookup? Also what is the condition for pulling specific SPL from lookup execution of queries?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Motivator

This is within a saved search. The query is pulled from a lookup file based on the key passed as a parameter.

The base search mentioned in the original question is an example. It could be literally any valid spl query.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!