Why does the map command return no results?

bojanisch · ‎03-07-2018

Hi everyone,

I have a use case where I need to iterate over multiple query strings and execute each of them, so I though of using the map command and passing the search query as a token to the map search like this
| makeresults count=1| eval query = "| makeresults count=1 | eval test=\"Hello\"" | map search="$query$" maxsearches=1

This search won't return any results. However if I put the search string directly in the mapping command I get the expected results

I thought that field values can be passed in mapping commands replacing their respective token. Although this is happening, the map command does not seem to execute the string as a query.

Does someone has an explanation for this behavior and maybe even a solution?

bojanisch · ‎03-07-2018

Okay after some more research I found out that Splunk isn't parsing the token as a query, but as a string.

03-07-2018 21:49:45.182 INFO SearchParser - PARSING: search "| makeresults count=1 | eval test=\"Hello\""

After passing the string through a macro, everything works as expected

where the macro is defined as

[getSearchAsString(1)]
args = search
definition = $search$
iseval = 0

valiquet · ‎03-09-2018

I think because you had quotes in query variable, you could have trimmed them

Why does the map command return no results?

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)