Splunk Search

Why do I have empty columns when using map in my search

gesa_behrens
Path Finder

Hello,

I have created a search using the map command to retrieve fields from another source. Both searches run seperatly produce expected results, but when I put them together the columns from the original search (not he map) stay empty. Here is my complete search :

index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=$customer_IP1$ | stats values($customer_IP1$) as IP, values($status_final$) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"

I have also tried this :
index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=$customer_IP1$ | stats first(reg_nr) as reg_nr | table reg_nr" | fields customer_IP1, status_final, reg_nr

I tried many more variations, e.g. using the subsearch notation etc, but they all return empty columns for customer_IP1 and status_final (or IP and status in the first statement). The results for reg_nr look good.

Thanks for any help

0 Karma
1 Solution

renjith_nair
Legend

@gesa_behrens,

As mentioned in the docs , the map command is a looping operator that runs a search repeatedly for each input event or result. i.e. a search with a string like $count$, for example, will replace the variable with the value of the count field in the input search result.

Lets take result of the below search as an example,

index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final 

----Result----
1.1.1.1 400
2.2.2.2 400

Now in the map command, wherever the variable is mentioned, it will be replaced with the value of that field and in our case customer_IP1 & status_final . For each value, the map search will be executed , i.e.

 | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=1.1.1.1 | stats values(1.1.1.1) as IP, values(400) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"

values(1.1.1.1) does not yield a value since 1.1.1.1 its not a filed and similarly values(400).

You may check the search.log in the job inspector to verify this.

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

@gesa_behrens,

As mentioned in the docs , the map command is a looping operator that runs a search repeatedly for each input event or result. i.e. a search with a string like $count$, for example, will replace the variable with the value of the count field in the input search result.

Lets take result of the below search as an example,

index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final 

----Result----
1.1.1.1 400
2.2.2.2 400

Now in the map command, wherever the variable is mentioned, it will be replaced with the value of that field and in our case customer_IP1 & status_final . For each value, the map search will be executed , i.e.

 | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=1.1.1.1 | stats values(1.1.1.1) as IP, values(400) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"

values(1.1.1.1) does not yield a value since 1.1.1.1 its not a filed and similarly values(400).

You may check the search.log in the job inspector to verify this.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

gesa_behrens
Path Finder

Thanks renjith.nair for the quick answer.
That makes sense. I see now why this statement cannot work.
Can you please have a look at my second statement too? This is very similar to something I found in another splunk answer, but does not work either.
The main question is : How do I get the values (customer_IP and status_final) from the first search into the result table at the end.

0 Karma

renjith_nair
Legend

Try a different approach.

index=main (sourcetype="access_log" OR sourcetype="logdb")
|eventstats dc(sourcetype) as c by customer_IP
|where c > 1
|stats values(status_final) as status,first(reg_nr) as reg_nr by customer_IP

Test it with your data and see it works.

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

gesa_behrens
Path Finder

This one actually works, thanks !

Does this mean that using 'map' I cannot enrich a table form the first search?
From the documentation I thought this was exactly the purpose of 'map' .
But this is maybe not the right place to discuss this.
Thanks for your help!

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...