Solved: map command not working whn used in advanced xml

adityapavan18 · ‎10-21-2013

Hi PFB the snippet in my dashboard:

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">
        <![CDATA[| inputlookup splunk_servers_cache | search server_role="search-peer" | map maxsearches=100 search="| rest count=35 /services/data/indexes splunk_server=$sos_server$ " | stats sum(currentDBSizeMB) as currentDBSizeMB  list(minTime) as MinTime by  title splunk_server| eval currentDBSizeGB  = currentDBSizeMB/1024  | where currentDBSizeMB>1]]></param>
</module>

The search is returning resuts when run in freeorm search. But when run in a dashboard it doesn't return any results.

When i checked in job inspector the query is showed as

| inputlookup  splunk_servers_cache  | search server_role="search-peer"  | map  maxsearches=100 search=| rest count=35 /services/data/indexes splunk_server=  | stats  sum(currentDBSizeMB) as currentDBSizeMB  list(minTime) as MinTime by  title splunk_server | eval  currentDBSizeGB  = currentDBSizeMB/1024  | search title="*apps" OR title="*perf"  | where  currentDBSizeMB>1

where the quotes for map command and splunk_server substitution disappeared?

How do i avoid this ?? and get the query running in dashboard

Complete XML:

<view autoCancelInterval="90" isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
    <label>Index Size Distrubution</label>
    <module name="AccountBar" layoutPanel="appHeader"/>
    <module name="AppBar" layoutPanel="appHeader"/>
    <module name="SideviewUtils" layoutPanel="appHeader"/>
    <module name="Message" layoutPanel="messaging">
        <param name="filter">*</param>
        <param name="maxSize">2</param>
        <param name="clearOnJobDispatch">False</param>
    </module>

    <module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
        <param name="search">
            <![CDATA[| inputlookup splunk_servers_cache | search server_role="search-peer" | map maxsearches=100 search="| rest count=35 /services/data/indexes splunk_server=$sos_server$ " | stats sum(currentDBSizeMB) as currentDBSizeMB  list(minTime) as MinTime by  title splunk_server| eval currentDBSizeGB  = currentDBSizeMB/1024 | where currentDBSizeMB>1]]></param>
        <param name="earliest">-15m</param>
        <param name="latest">now</param>
        <module name="JobProgressIndicator"/>
        <module name="Paginator" layoutPanel="panel_row2_col1" group="Search Results">
            <param name="count">10</param>
            <param name="entityName">results</param>
            <param name="groupLabel">Search Results</param>
            <module name="EnablePreview">
                <param name="enable">True</param>
                <param name="display">False</param>
                <module name="SimpleResultsTable">
                    <param name="entityName">results</param>
                    <param name="allowTransformedFieldSelect">True</param>
                    <module name="Gimp"/>
                </module>
            </module>
        </module>
    </module>
</view>

sowings · ‎10-22-2013

Try $$ around each of your tokens, like $$sos_server$$.

View solution in original post

sideview · ‎10-22-2013

OK. I think you're confused about what the $sos_server$ is doing.

$sos_server$ is just a $foo$ token that the Search module will recognize. It doesn't have anything to do with the map command in particular. The Search module will look upstream for a Pulldown or a TextField or some other Splunk or Sideview UI element that has created a "sos_server" token, and it will substitute that token value into the search, if it finds one.

In your view there isn't anything creating that token so the Search module will substitute in "", and the rest command run inside map will be | rest count=35 /services/data/indexes splunk_server="

which I suspect is a syntax error. However since it's inside map the syntax error doesn't get reported anywhere and the end result is a quiet failure.

I'm thinking you probably copied the map command out of the Splunk-on-Splunk app? If you go back to the view you copied it from, you'll see that somewhere upstream there was a <param name="sos_server"> on some module, probably a Pulldown.

Also take a pass through the first few documentation pages inside the Sideview Utils app itself because this will help you orient much more quickly. The docs are filled with living examples of working views and you can copy and paste from those little xml snippets into your production dashboards.

sideview · ‎10-24-2013

Oh of course. Sorry it's been a long time since I used map, and it was before Sideview Utils existed.

adityapavan18 · ‎10-24-2013

partially rite..my server name is not named as $sos_server$.
sos_server is a fieldname in a lookup . map command is like a for loop which runs the query for all values of field.

sideview · ‎10-23-2013

Oh! and you've literally called your server "$sos_server$" ? It's pretty unusual to give a server a name with $ characters in it, because this character has meaning across Splunk. that's why I thought you were confused. Indeed then, as sowings suggested a while back, you should use "$$" in place of each "$". This is spelled out on the docs page for the Search module, assuming you have the latest Sideview Utils (2.7). Sorry for the misinterpretation of your problem.

adityapavan18 · ‎10-23-2013

The map command is not specific to S.o.S app. map command is generic to splunk.

When the query is run as freeform search

| inputlookup splunk_servers_cache | search server_role="search-peer" | map maxsearches=100 search="| rest count=35 /services/data/indexes splunk_server=$sos_server$ " | stats sum(currentDBSizeMB) as currentDBSizeMB list(minTime) as MinTime by title splunk_server| eval currentDBSizeGB = currentDBSizeMB/1024 | where currentDBSizeMB>1

in search box itself i get the results.This query is not copied from any dashboard.

sowings · ‎10-22-2013

Try $$ around each of your tokens, like $$sos_server$$.

nivethainspire_ · ‎09-22-2014

Is there any possibility of using geostat in the same way...?..need to display map.

adityapavan18 · ‎10-23-2013

Thnx a lot it worked...

sowings · ‎10-22-2013

... which will be substituted by the map command, no?

sideview · ‎10-22-2013

That'll just tell the Search module not to replace the tokens at all - they would then go up to the server as literal "$sos_server$"

adityapavan18 · ‎10-21-2013

Updated with complete code

sideview · ‎10-21-2013

Can you post your whole XML view? I have a feeling you're mixing old intention stuff with Sideview code and it's the intention parser killing your quotes somehow.

map command not working whn used in advanced xml

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?