Splunk Search

How do you prevent the map command from encapsulating the variable in quotes?

quasikaze
Explorer

The quotes can only be seen in the search.log in one of the SearchParser component events.

My ultimate goal is to be able to pass a single field with an arbitrary number of values through map to the same variable in multiple sections of the subsearch, one of which is specifically in the by section of a tstats. The examples below are proofs-of-concept to illustrate the problem. I've tried other approaches including tokens, not that there's a token to remove quotes, but have obviously been unsuccessful in my various attempts.

Ex #1: Value End Up Quoted & Does Not Work

<pre>| makeresults
| eval test = "sourcetype,host"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"</pre>

Ex #2: Does Not Quote Value & Works

<pre>| makeresult
| eval test = "sourcetype"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by $test$"</pre>

Here's an alternative approach I tested, but it only seems to execute whatever is in the first record of the nested subsearch, which in this case is "sourcetype,host".

Ex #3: "by" Subsearch

<pre>| makeresults 
| fields sourcetype, host, lastTime 
| map 
    [| tstats latest(_time) AS lastTime WHERE index=_internal by 
        [| makeresults count=2 
        | streamstats count AS counter 
        | eval search = if(counter=1, "sourcetype,host", "sourcetype") 
        | fields - _time, counter ] 
        ]</pre>

Any thoughts?

Note: I did see the post "Why is there a problem when passing a command through a variable in map-command?", but it doesn't really help in this situation seeing as it doesn't solve how to do it in the by section. At least, if it does, I missed it.

1 Solution

woodcock
Esteemed Legend

This is a difficult problem that took me forever to figure out but once I show you the trick, you are going to kick yourself. You cannot stop map from doing this, but you can work around it; you need to use both a subsearch and a map like this:

| makeresults
| eval test = "sourcetype,host"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by [|makeresults | eval test=$test$ | return $test]"

BOOM! (That is the sound of the microphone that I dropped hitting my foot).

View solution in original post

woodcock
Esteemed Legend

You took my suggestion to just add a subsearch but missed it by >that< much!

quasikaze
Explorer

lol! That's actually what I tried a couple days earlier when talking back and forth with daljeanis. When I saw your comment about that, I had already forgotten about it and had no idea where you were talking about adding a subsearch or what to even put in it and just confusingly dismissed it. :facepalm: There's absolutely no way I would've solved it without your help! I've never had reason to use return, so I completely forgot it even existed! I've been working this issue off and on for months, so to finally have a solution is inspiring. Thanks again!

woodcock
Esteemed Legend

I feel your pain. I had the same experience. I absolutely had to make it work. It took me weeks and then God pushed the idea into my head; it just clicked! I solved it in my mind and I knew that it would work before I even tested it.

0 Karma

woodcock
Esteemed Legend

This is a difficult problem that took me forever to figure out but once I show you the trick, you are going to kick yourself. You cannot stop map from doing this, but you can work around it; you need to use both a subsearch and a map like this:

| makeresults
| eval test = "sourcetype,host"
| map search="| tstats latest(_time) AS lastTime WHERE index=_internal by [|makeresults | eval test=$test$ | return $test]"

BOOM! (That is the sound of the microphone that I dropped hitting my foot).

quasikaze
Explorer

This is what I needed! Thank you!

woodcock
Esteemed Legend

Tokens, tokens, everywhere! I shudder to think of how this will look as a dashboard panel!

0 Karma

pierrealex
Engager

Thank you so much

I didn't undestand the tricks with `return $test` and why only one $

But this make the job!

0 Karma

Vijeta
Influencer

Did you try using
\"$test$\" instead of $test$ in your second example?

0 Karma

quasikaze
Explorer

Yeah. No luck there. Thanks though!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...