Splunk Search
Highlighted

Why is search not returning result when using map?

New Member

Hello,
My following search results records for Account:

index="X" AND (sourcetype="A:Proxy" OR sourcetype="A:orderpusher")          
| where NOT isnull(Account)
| table _raw, _time, Account, User

But if i use map (which is required for my xml dashboard form ), then I do not get any result:

| makeresults
| map search="search  index=neonconnect_dev AND (sourcetype=NeonConnect:Proxy OR sourcetype=neonconnect:orderpusher)"
| where NOT isnull(Account) 
| table _raw, _time, Account, User

My source data contains required data(file), still I can't see result. Kindly help.
Thanks.

Tags (3)
0 Karma
Highlighted

Re: Why is search not returning result when using map?

New Member

Correction: In both above queries I use same Index and SourceType (though it seems different in my question)

0 Karma
Highlighted

Re: Why is search not returning result when using map?

Ultra Champion
| makeresults
| map search="search index=_internal splunkd"

Hi, @sheikhazad
this query produces results.
I think | where NOT isnull(Account) is evil.

| makeresults
| map search="search index=neonconnect_dev  (sourcetype=NeonConnect:Proxy OR sourcetype=neonconnect:orderpusher)"
| table _raw, _time, Account, User
| search Account!=""

How about this?

0 Karma
Highlighted

Re: Why is search not returning result when using map?

New Member

Sadly it doesnt work. Pls see my main comment and I got result when I changed query and still need answers why changing my query works

0 Karma
Highlighted

Re: Why is search not returning result when using map?

Esteemed Legend

Tell us more about why map is required for my xml dashboard form. I do not believe that is true and the real solution is to NOT use map.

0 Karma
Highlighted

Re: Why is search not returning result when using map?

New Member

I want that all accounts are shown in my dasboard's drop down menu. Without map it doesnt work. Not sure why. I am 1 day old kid in splunk 😞

0 Karma
Highlighted

Re: Why is search not returning result when using map?

Esteemed Legend

Then let's solve that problem the right way. Trust me: map is not the answer. Show us your dashboard XML.

0 Karma
Highlighted

Re: Why is search not returning result when using map?

New Member

Pls see my dashboard xml in main comment

0 Karma
Highlighted

Re: Why is search not returning result when using map?

Esteemed Legend

It is almost certainly because you are not using the double-quotes for your sourcetype value. Try this:

| makeresults
| map search="search index=\"X\" AND (sourcetype=\"A:Proxy\" OR sourcetype=\"A:orderpusher\")
| where NOT isnull(Account)
| table _raw, _time, Account, User"

Be aware that this limits both the run-time of your search and the size of your results set.

0 Karma
Highlighted

Re: Why is search not returning result when using map?

New Member

Sadly it doesnt work. Pls see my main comment and I got result when I changed query and still need answers why changing my query works

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.