This widget could not be displayed.
  • Splunk Search

    Why do I have empty columns when using map in my search

    gesa_behrens
    Path Finder

    Hello,

    I have created a search using the map command to retrieve fields from another source. Both searches run seperatly produce expected results, but when I put them together the columns from the original search (not he map) stay empty. Here is my complete search :

    index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=$customer_IP1$ | stats values($customer_IP1$) as IP, values($status_final$) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"

    I have also tried this :
    index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=$customer_IP1$ | stats first(reg_nr) as reg_nr | table reg_nr" | fields customer_IP1, status_final, reg_nr

    I tried many more variations, e.g. using the subsearch notation etc, but they all return empty columns for customer_IP1 and status_final (or IP and status in the first statement). The results for reg_nr look good.

    Thanks for any help

    0 Karma
    1 Solution

    renjith_nair
    Legend

    @gesa_behrens,

    As mentioned in the docs , the map command is a looping operator that runs a search repeatedly for each input event or result. i.e. a search with a string like $count$, for example, will replace the variable with the value of the count field in the input search result.

    Lets take result of the below search as an example,

    index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final 
    
    ----Result----
    1.1.1.1 400
    2.2.2.2 400
    

    Now in the map command, wherever the variable is mentioned, it will be replaced with the value of that field and in our case customer_IP1 & status_final . For each value, the map search will be executed , i.e.

     | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=1.1.1.1 | stats values(1.1.1.1) as IP, values(400) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"
    

    values(1.1.1.1) does not yield a value since 1.1.1.1 its not a filed and similarly values(400).

    You may check the search.log in the job inspector to verify this.

    ---
    What goes around comes around. If it helps, hit it with Karma 🙂

    View solution in original post

    0 Karma

    renjith_nair
    Legend

    @gesa_behrens,

    As mentioned in the docs , the map command is a looping operator that runs a search repeatedly for each input event or result. i.e. a search with a string like $count$, for example, will replace the variable with the value of the count field in the input search result.

    Lets take result of the below search as an example,

    index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final 
    
    ----Result----
    1.1.1.1 400
    2.2.2.2 400
    

    Now in the map command, wherever the variable is mentioned, it will be replaced with the value of that field and in our case customer_IP1 & status_final . For each value, the map search will be executed , i.e.

     | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=1.1.1.1 | stats values(1.1.1.1) as IP, values(400) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"
    

    values(1.1.1.1) does not yield a value since 1.1.1.1 its not a filed and similarly values(400).

    You may check the search.log in the job inspector to verify this.

    ---
    What goes around comes around. If it helps, hit it with Karma 🙂
    0 Karma

    gesa_behrens
    Path Finder

    Thanks renjith.nair for the quick answer.
    That makes sense. I see now why this statement cannot work.
    Can you please have a look at my second statement too? This is very similar to something I found in another splunk answer, but does not work either.
    The main question is : How do I get the values (customer_IP and status_final) from the first search into the result table at the end.

    0 Karma

    renjith_nair
    Legend

    Try a different approach.

    index=main (sourcetype="access_log" OR sourcetype="logdb")
    |eventstats dc(sourcetype) as c by customer_IP
    |where c > 1
    |stats values(status_final) as status,first(reg_nr) as reg_nr by customer_IP
    

    Test it with your data and see it works.

    ---
    What goes around comes around. If it helps, hit it with Karma 🙂
    0 Karma

    gesa_behrens
    Path Finder

    This one actually works, thanks !

    Does this mean that using 'map' I cannot enrich a table form the first search?
    From the documentation I thought this was exactly the purpose of 'map' .
    But this is maybe not the right place to discuss this.
    Thanks for your help!

    0 Karma
    Get Updates on the Splunk Community!

    Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

    WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

    Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

    Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

    Enterprise Security Content Update (ESCU) | New Releases

    In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...