Splunk Search

Why does the map command return no results?


Hi everyone,

I have a use case where I need to iterate over multiple query strings and execute each of them, so I though of using the map command and passing the search query as a token to the map search like this
| makeresults count=1| eval query = "| makeresults count=1 | eval test=\"Hello\"" | map search="$query$" maxsearches=1

This search won't return any results. However if I put the search string directly in the mapping command I get the expected results

| makeresults count=1| eval query = "" | map search="| makeresults count=1 | eval test=\"Hello\"" maxsearches=1

I thought that field values can be passed in mapping commands replacing their respective token. Although this is happening, the map command does not seem to execute the string as a query.

Does someone has an explanation for this behavior and maybe even a solution?

0 Karma


Okay after some more research I found out that Splunk isn't parsing the token as a query, but as a string.

03-07-2018 21:49:45.182 INFO SearchParser - PARSING: search "| makeresults count=1 | eval test=\"Hello\""

After passing the string through a macro, everything works as expected

| makeresults count=1| eval query = "| makeresults count=1 | eval test=\"Hello\"" | map search="`getSearchAsString($query$)`" maxsearches=1

where the macro is defined as

args = search
definition = $search$
iseval = 0
0 Karma


I think because you had quotes in query variable, you could have trimmed them

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!