Splunk Search

What is wrong with this "map" command search?

arjunpkishore5
Motivator

I'm facing a very strange situation. I have simplified it to just where the problem is ocurring
Check out the below 2 searches:

| makeresults
| map search="| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"

This one works fine.

However, the below search fails:

 | makeresults
 | eval base_search="| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"
 | map search="$base_search$"

The error which I'm getting is:

Unable to run query '"| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"'

Note: The base_search is being loaded from a lookup file in the original code. I have simplified it to make the understanding simpler

1 Solution

arjunpkishore5
Motivator

Thank you everyone for your responses.

So it looks like there is no straightforward way to do this. For now, the solution I implemented is to write a custom command which executes a query from an incoming column.

I'll keep this thread alive for 2 more days. IF someone has a better approach, please let me know. If not I'll mark this as the answer.

View solution in original post

0 Karma

Hdholariya
Engager

Run it like a... 

 | makeresults
 | eval base_search="| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"
| map search="| makeresults | map search="$base_search$

 This would definitely work!!

0 Karma

arjunpkishore5
Motivator

Thank you everyone for your responses.

So it looks like there is no straightforward way to do this. For now, the solution I implemented is to write a custom command which executes a query from an incoming column.

I'll keep this thread alive for 2 more days. IF someone has a better approach, please let me know. If not I'll mark this as the answer.

0 Karma

landen99
Motivator

Map does not seem like your variable having quotes around it due to the presence of spaces. That said, I hardly ever recommend "map". I would doubtless recommend a different command if I understood your use case better.

But to answer this question directly, try using a macro to avoid the quotes:

macro

[base_search]
definition =  makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]

search:

 | makeresults
 | map search="| `base_search`"

Using the brackets map definition if your basesearch ever needs to have double quotes in it:

| makeresults
| map [| `base_search`]
0 Karma

arjunpkishore5
Motivator

Thank you.

The problem however is that the base_search comes from a lookup file. I simplified the question so as to avoid the complicated query in the original

|inputlookup base_queries where _key=some_key_value
|map search=$base_search$

0 Karma

hok2010
New Member

hi arjun,

only map command take query in qoutes,
here eval is assigning the your query as string on the field "basesearch"

one alternative you can try is to create a marco for your query in setting>advanced search > add new macro

then you can call it with basesearch

0 Karma

arjunpkishore5
Motivator

Not sure how to work around with a macro. In the original problem, the base_search is being loaded from a lookup file. This does work for some queries and doesn't work for others.

In the real problem, the search query would look something like this

|inputlookup base_queries where _key=some_key_value
|map search=$base_search$

0 Karma

niketn
Legend

@arjunpkishore5 is this for Dashboard or Saved Search?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@arjunpkishore5 is this requirement for Dashboard or Report?
As per the details your lookup file has SPL that you want to execute? Can you share few sample events from the lookup? Also what is the condition for pulling specific SPL from lookup execution of queries?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

arjunpkishore5
Motivator

This is within a saved search. The query is pulled from a lookup file based on the key passed as a parameter.

The base search mentioned in the original question is an example. It could be literally any valid spl query.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...