Solved: How to use subsearch inside a map command search?

rajim · ‎02-14-2018

I have a query that uses map and subsearch inside map command as below:

index=myindex
| eval email="email@xyz.com"
| dedup email
| table email
| map search " index=myindex sourcetype=mysourcetype 
[search index=myindex \"$email$\" 
| fields message_session_id 
| dedup message_session_id ]
| transaction message_session_id maxspan=30s 
| rename _time as time, tag::eventtype as eventtype, src as src_ip, size as total_size, filename as attachments, file_size as attachment_size, orig_src as sender  
| table time, sender, recipient, src_user, subject, attachments, attachment_size, tag, eventtype, src_ip, signature_id, total_size, message_id, qid, message_session_id, process, protocol, orig_recipient, message_id, action, filter_action, filter_score, av, signature" maxsearches=1000

The first four lines are for test purpose. The actual query is different. For my problem this is fine.
When I'm running this query I am getting the error message like "Error in 'map' command: Unable to find saved search 'search'."
It seems that the inner subsearch has a problem. Could anybody please help me here?

Thanks in advance.

HiroshiSatoh · ‎02-14-2018

Try this!

| map search " index=myindex sourcetype=mysourcetype 
↓
| map search="search index=myindex sourcetype=mysourcetype

View solution in original post

micahkemp · ‎02-14-2018

You almost certainly don't want solve this issue with map and subsearch. You may not even want to use map without subsearch.

I know mail logs are awful. I've had to do a lot of customization and summarization to solve my past mail log needs. I would probably suggest you post a new question, asking in general, "here's what my data looks like, and here's what I need to search and what I need to get out of it, how can I do that?".

Really, I feel your pain on this. Mail logs are the devil.

rajim · ‎02-14-2018

I'm using map because there is a list of emails for which we need to search this. So I wanted to create a loop over those emails. I just want to know if there is any limitation in using subsearch inside a map command like this? It's providing an error which should not be. It would be better if you could provide me answer why I'm getting this error. I'm mostly worried about the syntax of this map command.

micahkemp · ‎02-14-2018

I really do understand why you went down this path. I'm not judging you, I've gone through this and other vicious searches for mail logs.

In regards to not posting an answer, that's why I posted this only as a comment. I really don't want to come across as rude, but having been through the trials and tribulations of mail logs I know firsthand that this method is quickly going to fail to meet your needs.

HiroshiSatoh · ‎02-14-2018

Try this!

| map search " index=myindex sourcetype=mysourcetype 
↓
| map search="search index=myindex sourcetype=mysourcetype

rajim · ‎02-14-2018

no it's not working... getting the same error message.

HiroshiSatoh · ‎02-14-2018

I made a mistake. The search sentence was corrected.

This is because it was regarded as a saved search due to a parameter mistake.
You can also use "$email$" in the sub search of the map command.

rajim · ‎02-14-2018

Thank you ... this solution works..

How to use subsearch inside a map command search?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes