As @bowesmana says, map is generally not suitable for what you are trying to do. Instead of illustrating an imagined SPL snippet for volunteers to read your mind, it is better to ask yourself, and i...
See more...
As @bowesmana says, map is generally not suitable for what you are trying to do. Instead of illustrating an imagined SPL snippet for volunteers to read your mind, it is better to ask yourself, and illustrate: What is a meaningful dataset to illustrate my problem? Action: Illustrate said dataset using text. (Screenshot does not apply. Anonymize as needed.) What is the information I am trying to obtain? Action: Illustrate your desired output based on the dataset. What is the logic between my sample dataset and desired output? Use plain language, not SPL. Make your intention clear in logical terms. Use common mathematical/logical symbols if you like, but not SPL if you have any doubt about your code. If you illustrate some SPL that does not give you desired output, also illustrate actual results from the sample dataset. Then, explain why the result differs from desired output unless the reason is painfully obvious. Before I try to read your mind, let me point out one critical point you need to clarify - I will use your "first search" to exemplify. Do you try to search for events with terms "<ProcessName>" and "Exception occurred" only in source=user2, then all events from source=user1? Because that's what your first search does. Your second search has the same logic, therefore IF that map command works, events in source=user1 will always match. Is this really your intention? I have a high suspicion that you want to search for events with terms "<ProcessName>" and "Exception occurred" in either source=user1 or source=user2. Is this correct? I will assume so in the following. This being said, based on the screenshot snippet you shared, you don't need to use regex or even spath to extract jobId because Splunk has clearly done that for you. The field name is Properties.jobId. All you need to do is to match this field. In other words, given these 8 simplified events: source _raw 1 user1 {"Level": "Error", "MessageTemplate": "Exception occurred - something something", "Properties": { "jobId": "8ef3e2f8-35c4-4f0a-8553-cffd718640b", "message": "<ProcessNotName2> Exception occurred - Exception Source: System.Activities stuff, stuff" } } 2 user1 {"Level": "Error", "MessageTemplate": "Exception occurred - something more", "Properties": { "jobId": "8ef3e2f8-2903-4f0a-8553-cffd718640b", "message": "<ProcessName> Exception occurred - Exception Source: System.Activities stuff, stuff" } } 3 user1 {"Level": "Info", "MessageTemplate": "Exception did not occurr - something else", "Properties": { "jobId": "8ef3e2f8-1234-4f0a-8572-cffd718640b", "message": "Exception won't happen - blah" } } 4 user1 {"Level": "Info", "MessageTemplate": "Not exception - something else", "Properties": { "jobId": "8ef3e2f8-5678-4f0a-8553-cffd718640b", "message": "Nothing to see here - don't worry" } } 5 user2 {"Level": "Error", "MessageTemplate": "Exception occurred - something more", "Properties": { "jobId": "8ef3e2f8-35c4-4f0a-8553-cffd718640b", "message": "Exception occurred - Exception Source: System.Activities stuff, stuff" } } 6 user2 {"Level": "Error", "MessageTemplate": "Exception occurred - something something", "Properties": { "jobId": "8ef3e2f8-2903-4f0a-8553-cffd718640b", "message": "Exception occurred - Exception Source: System.Activities stuff, stuff" } } 7 user2 {"Level": "Info", "MessageTemplate": "Exception did not occurr - something else", "Properties": { "jobId": "8ef3e2f8-2903-4f0a-8572-cffd718640b", "message": "Exception won't happen - blah" } } 8 user2 {"Level": "Info", "MessageTemplate": "Not exception - something else", "Properties": { "jobId": "8ef3e2f8-2903-4f0a-8553-cffd718640b", "message": "Nothing to see here - don't worry" } } you want to select 2, 6, and 8. This is the search to use: index="<indexname>" (source = "user1" OR source = "user2") [
search index="<indexname>" (source = "user1" OR source = "user2" )
"<ProcessName>" "Exception occurred"
| stats values(Properties.jobId) AS Properties.jobId
] This is the data emulation to generate the mock dataset posted above. Play with it and compare with real data | makeresults
| eval data = mvappend(
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something something\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-35c4-4f0a-8553-cffd718640b\",
\"message\": \"<ProcessNotName2> Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something more\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8553-cffd718640b\",
\"message\": \"<ProcessName> Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Exception did not occurr - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-1234-4f0a-8572-cffd718640b\",
\"message\": \"Exception won't happen - blah\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Not exception - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-5678-4f0a-8553-cffd718640b\",
\"message\": \"Nothing to see here - don't worry\"
}
}"
)
| mvexpand data
| rename data AS _raw
| spath
| eval source = "user1"
| append
[| makeresults
| eval data = mvappend(
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something more\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-35c4-4f0a-8553-cffd718640b\",
\"message\": \"Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something something\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8553-cffd718640b\",
\"message\": \"Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Exception did not occurr - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8572-cffd718640b\",
\"message\": \"Exception won't happen - blah\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Not exception - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8553-cffd718640b\",
\"message\": \"Nothing to see here - don't worry\"
}
}"
)
| mvexpand data
| rename data AS _raw
| spath
| eval source = "user2"]
``` the above emulates
index="<indexname>" (source = "user1" OR source = "user2")
``` Using this emulation in both main search and subsearch, here is a full emulation: | makeresults
| eval data = mvappend(
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something something\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-35c4-4f0a-8553-cffd718640b\",
\"message\": \"<ProcessNotName2> Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something more\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8553-cffd718640b\",
\"message\": \"<ProcessName> Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Exception did not occurr - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-1234-4f0a-8572-cffd718640b\",
\"message\": \"Exception won't happen - blah\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Not exception - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-5678-4f0a-8553-cffd718640b\",
\"message\": \"Nothing to see here - don't worry\"
}
}"
)
| mvexpand data
| rename data AS _raw
| spath
| eval source = "user1"
| append
[| makeresults
| eval data = mvappend(
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something more\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-35c4-4f0a-8553-cffd718640b\",
\"message\": \"Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something something\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8553-cffd718640b\",
\"message\": \"Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Exception did not occurr - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8572-cffd718640b\",
\"message\": \"Exception won't happen - blah\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Not exception - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8553-cffd718640b\",
\"message\": \"Nothing to see here - don't worry\"
}
}"
)
| mvexpand data
| rename data AS _raw
| spath
| eval source = "user2"]
``` the above emulates
index="<indexname>" (source = "user1" OR source = "user2")
```
| search
[makeresults
| eval data = mvappend(
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something something\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-35c4-4f0a-8553-cffd718640b\",
\"message\": \"<ProcessNotName2> Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something more\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8553-cffd718640b\",
\"message\": \"<ProcessName> Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Exception did not occurr - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-1234-4f0a-8572-cffd718640b\",
\"message\": \"Exception won't happen - blah\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Not exception - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-5678-4f0a-8553-cffd718640b\",
\"message\": \"Nothing to see here - don't worry\"
}
}"
)
| mvexpand data
| rename data AS _raw
| spath
| eval index = "<indexname>", source = "user1"
| append
[| makeresults
| eval data = mvappend(
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something more\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-35c4-4f0a-8553-cffd718640b\",
\"message\": \"Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Error\",
\"MessageTemplate\": \"Exception occurred - something something\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8553-cffd718640b\",
\"message\": \"Exception occurred - Exception Source: System.Activities stuff, stuff\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Exception did not occurr - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8572-cffd718640b\",
\"message\": \"Exception won't happen - blah\"
}
}",
"{\"Level\": \"Info\",
\"MessageTemplate\": \"Not exception - something else\",
\"Properties\": {
\"jobId\": \"8ef3e2f8-2903-4f0a-8553-cffd718640b\",
\"message\": \"Nothing to see here - don't worry\"
}
}"
)
| mvexpand data
| rename data AS _raw
| spath
| eval source = "user2"]
| search "<ProcessName>" "Exception occurred"
``` the above emulates
index="<indexname>" (source = "user1" OR source = "user2") "ProcessName" "Exception occurred"
```
| stats values(Properties.jobId) as Properties.jobId
] The output is these three events: source _raw user1 {"Level": "Error", "MessageTemplate": "Exception occurred - something more", "Properties": { "jobId": "8ef3e2f8-2903-4f0a-8553-cffd718640b", "message": "<ProcessName> Exception occurred - Exception Source: System.Activities stuff, stuff" } } user2 {"Level": "Error", "MessageTemplate": "Exception occurred - something something", "Properties": { "jobId": "8ef3e2f8-2903-4f0a-8553-cffd718640b", "message": "Exception occurred - Exception Source: System.Activities stuff, stuff" } } user2 {"Level": "Info", "MessageTemplate": "Not exception - something else", "Properties": { "jobId": "8ef3e2f8-2903-4f0a-8553-cffd718640b", "message": "Nothing to see here - don't worry" } }