The quotes can only be seen in the search.log in one of the SearchParser component events.
My ultimate goal is to be able to pass a single field with an arbitrary number of values through map to the same variable in multiple sections of the subsearch, one of which is specifically in the by section of a tstats . The examples below are proofs-of-concept to illustrate the problem. I've tried other approaches including tokens, not that there's a token to remove quotes, but have obviously been unsuccessful in my various attempts.
Ex #1: Value End Up Quoted & Does Not Work
<pre>| makeresults
| eval test = "sourcetype,host"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"</pre>
Ex #2: Does Not Quote Value & Works
<pre>| makeresult
| eval test = "sourcetype"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"</pre>
Here's an alternative approach I tested, but it only seems to execute whatever is in the first record of the nested subsearch, which in this case is "sourcetype,host".
Ex #3: "by" Subsearch
<pre>| makeresults
| fields sourcetype, host, lastTime
| map
[| tstats latest(_time) AS lastTime WHERE index=_internal by
[| makeresults count=2
| streamstats count AS counter
| eval search = if(counter=1, "sourcetype,host", "sourcetype")
| fields - _time, counter ]
]</pre>
Any thoughts?
Note: I did see the post "Why is there a problem when passing a command through a variable in map-command?", but it doesn't really help in this situation seeing as it doesn't solve how to do it in the by section. At least, if it does, I missed it.
... View more