Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I have empty columns when using map in my search

gesa_behrens
Path Finder
‎01-16-2019 01:15 AM

Hello,

I have created a search using the map command to retrieve fields from another source. Both searches run seperatly produce expected results, but when I put them together the columns from the original search (not he map) stay empty. Here is my complete search :

index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=$customer_IP1$ | stats values($customer_IP1$) as IP, values($status_final$) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"

I have also tried this :
index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=$customer_IP1$ | stats first(reg_nr) as reg_nr | table reg_nr" | fields customer_IP1, status_final, reg_nr

I tried many more variations, e.g. using the subsearch notation etc, but they all return empty columns for customer_IP1 and status_final (or IP and status in the first statement). The results for reg_nr look good.

Thanks for any help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-16-2019 04:49 AM

@gesa_behrens,

As mentioned in the docs , the map command is a looping operator that runs a search repeatedly for each input event or result. i.e. a search with a string like $count$, for example, will replace the variable with the value of the count field in the input search result.

Lets take result of the below search as an example,

index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final 

----Result----
1.1.1.1 400
2.2.2.2 400

Now in the map command, wherever the variable is mentioned, it will be replaced with the value of that field and in our case customer_IP1 & status_final . For each value, the map search will be executed , i.e.

 | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=1.1.1.1 | stats values(1.1.1.1) as IP, values(400) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"

values(1.1.1.1) does not yield a value since 1.1.1.1 its not a filed and similarly values(400).

You may check the search.log in the job inspector to verify this.

Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-16-2019 04:49 AM

@gesa_behrens,

As mentioned in the docs , the map command is a looping operator that runs a search repeatedly for each input event or result. i.e. a search with a string like $count$, for example, will replace the variable with the value of the count field in the input search result.

Lets take result of the below search as an example,

index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final 

----Result----
1.1.1.1 400
2.2.2.2 400

Now in the map command, wherever the variable is mentioned, it will be replaced with the value of that field and in our case customer_IP1 & status_final . For each value, the map search will be executed , i.e.

 | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=1.1.1.1 | stats values(1.1.1.1) as IP, values(400) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"

values(1.1.1.1) does not yield a value since 1.1.1.1 its not a filed and similarly values(400).

You may check the search.log in the job inspector to verify this.

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

gesa_behrens
Path Finder
‎01-16-2019 05:07 AM

Thanks renjith.nair for the quick answer.
That makes sense. I see now why this statement cannot work.
Can you please have a look at my second statement too? This is very similar to something I found in another splunk answer, but does not work either.
The main question is : How do I get the values (customer_IP and status_final) from the first search into the result table at the end.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-16-2019 11:05 PM

Try a different approach.

index=main (sourcetype="access_log" OR sourcetype="logdb")
|eventstats dc(sourcetype) as c by customer_IP
|where c > 1
|stats values(status_final) as status,first(reg_nr) as reg_nr by customer_IP

Test it with your data and see it works.

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

gesa_behrens
Path Finder
‎01-16-2019 11:32 PM

This one actually works, thanks !

Does this mean that using 'map' I cannot enrich a table form the first search?
From the documentation I thought this was exactly the purpose of 'map' .
But this is maybe not the right place to discuss this.
Thanks for your help!

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...