Solved: Why when using "map" command, if I use the string ...

yutaka1005 · ‎09-07-2018

Splunk ver : 7.1.2

When I use the map command, if argument that pass to map is string, results are never displayed.
But, if argument is int or string that contains space, then it works!

Below search is examples.
* Since it is a sample, it is weird search, but please do not mind.

Not working case:

| makeresults count=3 
| eval field1="test"
| table field1 
| map search="| stats count | fields - count | eval map_field1=$field1$ | table map_field1"

Working case1:

| makeresults count=3 
| eval field1=111    
| table field1 
| map search="| stats count | fields - count | eval map_field1=$field1$ | table map_field1"

Working case2:

| makeresults count=3 
| eval field1="this is test"  
| table field1 
| map search="| stats count | fields - count | eval map_field1=$field1$ | table map_field1"

Is this specification, or issue?
*if it is, I'm so sorry.

Please someone tell me.

harishalipaka · ‎09-07-2018

hi @yutaka1005

try like this

| makeresults count=3 
 | eval field1=111
 | table field1 
 | map [search | stats count | fields - count | eval map_field1="$field1$" | table map_field1]

Thanks
Harish

View solution in original post

harishalipaka · ‎09-07-2018

hi @yutaka1005

try like this

| makeresults count=3 
 | eval field1=111
 | table field1 
 | map [search | stats count | fields - count | eval map_field1="$field1$" | table map_field1]

Thanks
Harish

yutaka1005 · ‎09-09-2018

Thank you for answer!

Problem was solved by doing like you taught me.

But I wonder why I can't pass a string to map unless I surround argument with double quote.
Also I wonder why I can pass string that has space.

MuS · ‎09-09-2018

Hi yutaka1005,

you are using an eval and using field vs "field" is not the same 😉

using field in an eval will tell Splunk to use the values of the field field
using "field" in an eval will tell Splunk to use the string field

As example:

 | eval bar="111" | eval foo=bar

this will result in foo="111", whereas

 | eval bar="111" | eval foo="bar"

will result in foo="bar".

Hope this explains the problem you encountered.

cheers, MuS

yutaka1005 · ‎09-10-2018

Thank you for comment.

So, you means below, right?

If I pass int to map

| eval bar=111 | map [ | eval foo=$bar$ ]

Although 111 is passed to map without double quote, int is defined as value(*not as field), so result is foo=111.

If I pass string to map

| eval bar="test" | map [ | eval foo=$bar$ ]

Because string without double quote is defined as field, so result is foo=test.
Then there is not test field, so result is never displayed.

Therefore, I should surround argument in map with double quote.
I was able to accept until here.

But I wonder why it working when using pass string that has space without double quote.

Such case like below, although argument in map is not surrounded with double quote, result is foo="this is test".

| eval bar="this is test" | map [ | eval foo=$bar$ ]

MuS · ‎09-10-2018

I might misunderstood your question, but have a go with this run everywhere search:

| makeresults count=3 
| eval field1="test with space", bar="baz", field2=bar, field3=123
| map search="| stats count | fields - count | eval map_field1=\"$field1$\",map_field2=\"$field2$\",map_field3=\"$field3$\",map_bar=\"$bar$\" "

This might answer and/or clarify the issue. I reckon the important thing is to have the token field in the map search like this \"$name$\"

cheers, MuS

Why when using "map" command, if I use the string argument with "map", results are not displayed?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies