Solved: Search field names with spaces in map command inne...

ErikaE · ‎11-19-2015

I have data from a sourcetype that I am searching with a map command like so:

source=outersearch | map search="search source="innersource" | stats avg(Param)"

This search runs correctly and returns the expected number of events from innersource. However, I would like to be able to search for a fieldname with a space in the inner search source. i.e. "Field Name"="String Value". When I isolate the inner search, it works just fine. When I include it in the map string:

source=outersearch | map search="search source="innersource" "Field Name"="String Value" | stats avg(Param)"

The map search returns no results. The documentation says that the map search string is 'literal' but I can't find any documentation on what that means or how it constrains how the search has to be written.

woodcock · ‎11-19-2015

Try this (demonstrates multiple approaches):

 source=outersearch | map search="search source=\"innersource\" $Field Name$='String Value' | stats avg(Param)"

View solution in original post

woodcock · ‎11-19-2015

Try this (demonstrates multiple approaches):

 source=outersearch | map search="search source=\"innersource\" $Field Name$='String Value' | stats avg(Param)"

ErikaE · ‎11-24-2015

The escape character ended up working great, i.e.:

\"Field Name with Space\"

It took a little bit of fiddling to figure out which parts of the inner search were causing issues.

Search field names with spaces in map command inner search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!