Splunk Search

map command not working whn used in advanced xml

adityapavan18
Contributor

Hi PFB the snippet in my dashboard:

<module name="Search" layoutPanel="panel_row2_col1" autoRun="True">
    <param name="search">
        <![CDATA[| inputlookup splunk_servers_cache | search server_role="search-peer" | map maxsearches=100 search="| rest count=35 /services/data/indexes splunk_server=$sos_server$ " | stats sum(currentDBSizeMB) as currentDBSizeMB  list(minTime) as MinTime by  title splunk_server| eval currentDBSizeGB  = currentDBSizeMB/1024  | where currentDBSizeMB>1]]></param>
</module>

The search is returning resuts when run in freeorm search. But when run in a dashboard it doesn't return any results.

When i checked in job inspector the query is showed as

| inputlookup  splunk_servers_cache  | search server_role="search-peer"  | map  maxsearches=100 search=| rest count=35 /services/data/indexes splunk_server=  | stats  sum(currentDBSizeMB) as currentDBSizeMB  list(minTime) as MinTime by  title splunk_server | eval  currentDBSizeGB  = currentDBSizeMB/1024  | search title="*apps" OR title="*perf"  | where  currentDBSizeMB>1

where the quotes for map command and splunk_server substitution disappeared?

How do i avoid this ?? and get the query running in dashboard

Complete XML:

<view autoCancelInterval="90" isSticky="False" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
    <label>Index Size Distrubution</label>
    <module name="AccountBar" layoutPanel="appHeader"/>
    <module name="AppBar" layoutPanel="appHeader"/>
    <module name="SideviewUtils" layoutPanel="appHeader"/>
    <module name="Message" layoutPanel="messaging">
        <param name="filter">*</param>
        <param name="maxSize">2</param>
        <param name="clearOnJobDispatch">False</param>
    </module>

    <module name="Search" layoutPanel="panel_row1_col1" autoRun="True">
        <param name="search">
            <![CDATA[| inputlookup splunk_servers_cache | search server_role="search-peer" | map maxsearches=100 search="| rest count=35 /services/data/indexes splunk_server=$sos_server$ " | stats sum(currentDBSizeMB) as currentDBSizeMB  list(minTime) as MinTime by  title splunk_server| eval currentDBSizeGB  = currentDBSizeMB/1024 | where currentDBSizeMB>1]]></param>
        <param name="earliest">-15m</param>
        <param name="latest">now</param>
        <module name="JobProgressIndicator"/>
        <module name="Paginator" layoutPanel="panel_row2_col1" group="Search Results">
            <param name="count">10</param>
            <param name="entityName">results</param>
            <param name="groupLabel">Search Results</param>
            <module name="EnablePreview">
                <param name="enable">True</param>
                <param name="display">False</param>
                <module name="SimpleResultsTable">
                    <param name="entityName">results</param>
                    <param name="allowTransformedFieldSelect">True</param>
                    <module name="Gimp"/>
                </module>
            </module>
        </module>
    </module>
</view>
Tags (1)
0 Karma
1 Solution

sowings
Splunk Employee
Splunk Employee

Try $$ around each of your tokens, like $$sos_server$$.

View solution in original post

sideview
SplunkTrust
SplunkTrust

OK. I think you're confused about what the $sos_server$ is doing.

$sos_server$ is just a $foo$ token that the Search module will recognize. It doesn't have anything to do with the map command in particular. The Search module will look upstream for a Pulldown or a TextField or some other Splunk or Sideview UI element that has created a "sos_server" token, and it will substitute that token value into the search, if it finds one.

In your view there isn't anything creating that token so the Search module will substitute in "", and the rest command run inside map will be | rest count=35 /services/data/indexes splunk_server="

which I suspect is a syntax error. However since it's inside map the syntax error doesn't get reported anywhere and the end result is a quiet failure.

I'm thinking you probably copied the map command out of the Splunk-on-Splunk app? If you go back to the view you copied it from, you'll see that somewhere upstream there was a <param name="sos_server"> on some module, probably a Pulldown.

Also take a pass through the first few documentation pages inside the Sideview Utils app itself because this will help you orient much more quickly. The docs are filled with living examples of working views and you can copy and paste from those little xml snippets into your production dashboards.

0 Karma

sideview
SplunkTrust
SplunkTrust

Oh of course. Sorry it's been a long time since I used map, and it was before Sideview Utils existed.

0 Karma

adityapavan18
Contributor

partially rite..my server name is not named as $sos_server$.
sos_server is a fieldname in a lookup . map command is like a for loop which runs the query for all values of field.

0 Karma

sideview
SplunkTrust
SplunkTrust

Oh! and you've literally called your server "$sos_server$" ? It's pretty unusual to give a server a name with $ characters in it, because this character has meaning across Splunk. that's why I thought you were confused. Indeed then, as sowings suggested a while back, you should use "$$" in place of each "$". This is spelled out on the docs page for the Search module, assuming you have the latest Sideview Utils (2.7). Sorry for the misinterpretation of your problem.

0 Karma

adityapavan18
Contributor

The map command is not specific to S.o.S app. map command is generic to splunk.

When the query is run as freeform search

| inputlookup splunk_servers_cache | search server_role="search-peer" | map maxsearches=100 search="| rest count=35 /services/data/indexes splunk_server=$sos_server$ " | stats sum(currentDBSizeMB) as currentDBSizeMB list(minTime) as MinTime by title splunk_server| eval currentDBSizeGB = currentDBSizeMB/1024 | where currentDBSizeMB>1

in search box itself i get the results.This query is not copied from any dashboard.

0 Karma

sowings
Splunk Employee
Splunk Employee

Try $$ around each of your tokens, like $$sos_server$$.

nivethainspire_
Explorer

Is there any possibility of using geostat in the same way...?..need to display map.

0 Karma

adityapavan18
Contributor

Thnx a lot it worked...

0 Karma

sowings
Splunk Employee
Splunk Employee

... which will be substituted by the map command, no?

0 Karma

sideview
SplunkTrust
SplunkTrust

That'll just tell the Search module not to replace the tokens at all - they would then go up to the server as literal "$sos_server$"

0 Karma

adityapavan18
Contributor

Updated with complete code

0 Karma

sideview
SplunkTrust
SplunkTrust

Can you post your whole XML view? I have a feeling you're mixing old intention stuff with Sideview code and it's the intention parser killing your quotes somehow.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...