Thank you for answer!

Problem was solved by doing like you taught me.

But I wonder why I can't pass a string to map unless I surround argument with double quote.
Also I wonder why I can pass string that has space.

Hi yutaka1005,

you are using an eval and using field vs "field" is not the same 😉

• using field in an eval will tell Splunk to use the values of the field field
• using "field" in an eval will tell Splunk to use the string field

As example:

 | eval bar="111" | eval foo=bar

this will result in foo="111", whereas

 | eval bar="111" | eval foo="bar"

will result in foo="bar".

Hope this explains the problem you encountered.

cheers, MuS

Thank you for comment.

So, you means below, right?

If I pass int to map

| eval bar=111 | map [ | eval foo=$bar$ ]

Although 111 is passed to map without double quote, int is defined as value(*not as field), so result is foo=111.

If I pass string to map

| eval bar="test" | map [ | eval foo=$bar$ ]

Because string without double quote is defined as field, so result is foo=test.
Then there is not test field, so result is never displayed.

Therefore, I should surround argument in map with double quote.
I was able to accept until here.

But I wonder why it working when using pass string that has space without double quote.

Such case like below, although argument in map is not surrounded with double quote, result is foo="this is test".

| eval bar="this is test" | map [ | eval foo=$bar$ ]

I might misunderstood your question, but have a go with this run everywhere search:

| makeresults count=3 
| eval field1="test with space", bar="baz", field2=bar, field3=123
| map search="| stats count | fields - count | eval map_field1=\"$field1$\",map_field2=\"$field2$\",map_field3=\"$field3$\",map_bar=\"$bar$\" "

This might answer and/or clarify the issue. I reckon the important thing is to have the token field in the map search like this \"$name$\"

cheers, MuS