This is finally found to be a potential bug or atleast a limitation in the map command. I went ahead and performed some very generic searches in Splunk using the map command to pass three types of data to be searched in the map subsearch; text, numbers, alpanumeric with special characters. The results of the test shows that any values containing pure text strings (no numbers, no special characters) that are passed on to the map command cannot be recovered in the search results. Here is the proof: Query Used for test: | makeresults | eval field1="TextString", field2="12345", field3="user@12345mail.com" | table field1, field2, field3 | map maxsearches=300 search="search index=_internal ($field1$ OR $field2$ OR $field3$) earliest=-2h | eval TextString=$field1$, Number=$field2$, Alphanum=$field3$" | table _time index TextString Number Alphanum Results: Notice the TextString field is empty while the number and alphanumeric and special character values are all retained in the output. I will try and bring this to Splunk's attention, however not sure if this is going to be fixed or left as is. Thanks to all who took the time to read through and helped with suggestions
... View more