Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is search not returning result when using map?

sheikhazad
New Member
‎12-06-2019 08:55 AM

Hello,
My following search results records for Account:

index="X" AND (sourcetype="A:Proxy" OR sourcetype="A:orderpusher")          
| where NOT isnull(Account)
| table _raw, _time, Account, User

But if i use map (which is required for my xml dashboard form ), then I do not get any result:

| makeresults
| map search="search  index=neonconnect_dev AND (sourcetype=NeonConnect:Proxy OR sourcetype=neonconnect:orderpusher)"
| where NOT isnull(Account) 
| table _raw, _time, Account, User

My source data contains required data(file), still I can't see result. Kindly help.
Thanks.

Tags (3)
0 Karma
Reply

sheikhazad
New Member
‎12-11-2019 03:01 AM

Here is my dashboard and I am showing relevant queries only. With this queries with map, my problem is solved:

    <query>
        | makeresults
        | addinfo
        | eval orders_index = "$Trading$"
        | eval beginTimeFromMinTime=relative_time(info_min_time, "@d")
        | map search="search earliest=$$beginTimeFromMinTime$$ index=$$orders_index$$ AND (sourcetype=\"NeonConnect:Proxy\" OR sourcetype=\"neonconnect:orderpusher\") AND OrderStatus AND User AND Account"
    </query>
    <earliest>$orderTime.earliest$</earliest>
    <latest>$orderTime.latest$</latest>
    <sampleRatio>1</sampleRatio>
</search>

........................................................................................
Below query is to show Users in drop down
.......................................................................................

        <input type="dropdown" token="tokFilterUser" searchWhenChanged="true">
            <label>Filter on User</label>
            <search base="baseProxySearch">
                <query>
                    | where NOT isnull(User)
                    | dedup User
                    | eval User=lower(User)
                    | dedup User
                    | table User
                    | sort User
                </query>
            </search>
            <fieldForLabel>User</fieldForLabel>
            <fieldForValue>User</fieldForValue>
            <choice value="*">All Users</choice>
            <default>*</default>
        </input>

........................................................................................
Below query is to show Accounts in drop down
.......................................................................................




| where NOT isnull(Account) AND (User="$tokFilterUser$" OR "$tokFilterUser$"="")
| dedup Account
| eval Account=lower(Account)
| dedup Account
| table Account
| sort Account


Account
Account
<choice value="">All Account Names
*

0 Karma
Reply

arjunpkishore5
Motivator
‎12-07-2019 08:43 PM

What exactly are you trying to achieve with map? Could you provide more details on what you're trying to achieve in the dashboard? There might be an alternative solution to it.

In the meanwhile, for your query, I suspect the metadata is getting altered when results are passed from map. Try enclosing the whole query in map

| makeresults
| map [ search index=neonconnect_dev  sourcetype IN ("NeonConnect:Proxy", "neonconnect:orderpusher")
  | where NOT isnull(Account)
  | table _raw, _time, Account, User]
0 Karma
Reply

sheikhazad
New Member
‎12-11-2019 03:04 AM

Unfortunately, when I enclose map with [ ] as you suggested, it fails to work. Pls see my dashboard xml in main comment

0 Karma
Reply

sheikhazad
New Member
‎12-06-2019 12:46 PM

Problem solved but still want answer:

My input source (which is log file) contains a lot of unnecessary data like:

2019-12-06 20:26:54,753 UTC : INFO PC=I, PM=0, PI=0, PR=3
2019-12-06 20:27:24,770 UTC : INFO PC=I, PM=0, PI=0, PR=3

And my log files are kept on updating with these data which DO NOT contain "Account" info which I am looking for.

I changed the query to limit the data in index by adding "AND OrderStatus AND User AND Account" which makes sure that the data contains Account info like:

2019-12-04 17:05:59,026 UTC : INFO User=ASHAH, Account=AShah, AccountId=2, OrderStatus=Unknown, Status=Pending

Old failed query:
| map search="search earliest=$$beginTimeFromMinTime$$ index=$$orders_index$$ AND (sourcetype="NeonConnect:Proxy" OR sourcetype="neonconnect:orderpusher") "

New successful query:
| map search="search earliest=$$beginTimeFromMinTime$$ index=$$orders_index$$ AND (sourcetype="NeonConnect:Proxy" OR sourcetype="neonconnect:orderpusher") AND OrderStatus AND User AND Account"

My question is, how limiting data in Splunk Index solved the problem? Is a lot of data in Splunk Index cause unreliable result?

0 Karma
Reply

woodcock
Esteemed Legend
‎12-06-2019 12:18 PM

It is almost certainly because you are not using the double-quotes for your sourcetype value. Try this:

| makeresults
| map search="search index=\"X\" AND (sourcetype=\"A:Proxy\" OR sourcetype=\"A:orderpusher\")
| where NOT isnull(Account)
| table _raw, _time, Account, User"

Be aware that this limits both the run-time of your search and the size of your results set.

0 Karma
Reply

sheikhazad
New Member
‎12-06-2019 12:52 PM

Sadly it doesnt work. Pls see my main comment and I got result when I changed query and still need answers why changing my query works

0 Karma
Reply

woodcock
Esteemed Legend
‎12-06-2019 12:16 PM

Tell us more about why map is required for my xml dashboard form. I do not believe that is true and the real solution is to NOT use map.

0 Karma
Reply

sheikhazad
New Member
‎12-06-2019 01:01 PM

I want that all accounts are shown in my dasboard's drop down menu. Without map it doesnt work. Not sure why. I am 1 day old kid in splunk 😞

0 Karma
Reply

woodcock
Esteemed Legend
‎12-06-2019 02:02 PM

Then let's solve that problem the right way. Trust me: map is not the answer. Show us your dashboard XML.

0 Karma
Reply

sheikhazad
New Member
‎12-11-2019 03:02 AM

Pls see my dashboard xml in main comment

0 Karma
Reply

to4kawa
Ultra Champion
‎12-06-2019 11:50 AM 
| makeresults
| map search="search index=_internal splunkd"

Hi, @sheikhazad
this query produces results.
I think | where NOT isnull(Account) is evil.

| makeresults
| map search="search index=neonconnect_dev  (sourcetype=NeonConnect:Proxy OR sourcetype=neonconnect:orderpusher)"
| table _raw, _time, Account, User
| search Account!=""

How about this?

0 Karma
Reply

sheikhazad
New Member
‎12-06-2019 12:25 PM

Sadly it doesnt work. Pls see my main comment and I got result when I changed query and still need answers why changing my query works

0 Karma
Reply

sheikhazad
New Member
‎12-06-2019 09:38 AM

Correction: In both above queries I use same Index and SourceType (though it seems different in my question)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top