So I have this search looking to send emails to people logging into a legacy SH, but the map command breaks my results.
index=_audit sourcetype = audittrail action="login attempt"|eval user=user.""."@gmail.com"|fields user|map search="sendemail to=$user$ subject=Please Stoping Using Old SH message="Please migrate to new SH" sendresults=true inline=true format=raw"
In what way does it break the results. By 'base search' do you mean a base search in a dashboard?
One comment about the search. You are double quoting the message string but not subject.
I mean that the base search I mean the part of the search before the map command
I suggested you quote the subject string, like you have quoted the message string - did you do that?
Can you also give us some indication of what 'it is broken' means - can you describe or upload a screenshot of what 'broken' means
A search is a pipeline of processing instructions for events - processing further down the pipeline cannot directly affect processing higher up in the pipeline.
How do you know it is "broken"?
Everything before the map command works, until I add that last half.
Do you need to escape the double quotes used in the search string?
In the eval? That's to actually make them into email strings
Something like this (untested)
index=_audit sourcetype = audittrail action="login attempt"|eval user=user.""."@gmail.com"|fields user|map search="sendemail to=$user$ subject=\"Please Stoping Using Old SH\" message=\"Please migrate to new SH\" sendresults=true inline=true format=raw"
I don't need to escape them, but it is still broken.
Have you tried it with escaped quotes?
index=_audit sourcetype = audittrail action="login attempt"|eval user=user.""."@gmail.com"|fields user|map search="sendemail to=\"$user$\" subject=\"Please Stoping Using Old SH\" message=\"Please migrate to new SH\" sendresults=true inline=true format=raw"