I'm facing a very strange situation. I have simplified it to just where the problem is ocurring
Check out the below 2 searches:
| makeresults
| map search="| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"
This one works fine.
However, the below search fails:
| makeresults
| eval base_search="| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"
| map search="$base_search$"
The error which I'm getting is:
Unable to run query '"| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"'
Note: The base_search is being loaded from a lookup file in the original code. I have simplified it to make the understanding simpler
Thank you everyone for your responses.
So it looks like there is no straightforward way to do this. For now, the solution I implemented is to write a custom command which executes a query from an incoming column.
I'll keep this thread alive for 2 more days. IF someone has a better approach, please let me know. If not I'll mark this as the answer.
Run it like a...
| makeresults | eval base_search="| makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]"
| map search="| makeresults | map search="$base_search$
This would definitely work!!
Thank you everyone for your responses.
So it looks like there is no straightforward way to do this. For now, the solution I implemented is to write a custom command which executes a query from an incoming column.
I'll keep this thread alive for 2 more days. IF someone has a better approach, please let me know. If not I'll mark this as the answer.
Map does not seem like your variable having quotes around it due to the presence of spaces. That said, I hardly ever recommend "map". I would doubtless recommend a different command if I understood your use case better.
But to answer this question directly, try using a macro to avoid the quotes:
macro
[base_search]
definition = makeresults | appendcols [| inputlookup ticket_templates where _key=5d433a4e10a7872f3a197e81 | stats max(*) as *]
search:
| makeresults
| map search="| `base_search`"
Using the brackets map definition if your basesearch ever needs to have double quotes in it:
| makeresults
| map [| `base_search`]
Thank you.
The problem however is that the base_search comes from a lookup file. I simplified the question so as to avoid the complicated query in the original
|inputlookup base_queries where _key=some_key_value
|map search=$base_search$
hi arjun,
only map command take query in qoutes,
here eval is assigning the your query as string on the field "basesearch"
one alternative you can try is to create a marco for your query in setting>advanced search > add new macro
then you can call it with basesearch
Not sure how to work around with a macro. In the original problem, the base_search is being loaded from a lookup file. This does work for some queries and doesn't work for others.
In the real problem, the search query would look something like this
|inputlookup base_queries where _key=some_key_value
|map search=$base_search$
@arjunpkishore5 is this for Dashboard or Saved Search?
@arjunpkishore5 is this requirement for Dashboard or Report?
As per the details your lookup file has SPL that you want to execute? Can you share few sample events from the lookup? Also what is the condition for pulling specific SPL from lookup execution of queries?
This is within a saved search. The query is pulled from a lookup file based on the key passed as a parameter.
The base search mentioned in the original question is an example. It could be literally any valid spl query.