Splunk Search

Why is search not returning result when using map?

sheikhazad
New Member

Hello,
My following search results records for Account:

index="X" AND (sourcetype="A:Proxy" OR sourcetype="A:orderpusher")          
| where NOT isnull(Account)
| table _raw, _time, Account, User

But if i use map (which is required for my xml dashboard form ), then I do not get any result:

| makeresults
| map search="search  index=neonconnect_dev AND (sourcetype=NeonConnect:Proxy OR sourcetype=neonconnect:orderpusher)"
| where NOT isnull(Account) 
| table _raw, _time, Account, User

My source data contains required data(file), still I can't see result. Kindly help.
Thanks.

Tags (3)
0 Karma

sheikhazad
New Member

Here is my dashboard and I am showing relevant queries only. With this queries with map, my problem is solved:

    <query>
        | makeresults
        | addinfo
        | eval orders_index = "$Trading$"
        | eval beginTimeFromMinTime=relative_time(info_min_time, "@d")
        | map search="search earliest=$$beginTimeFromMinTime$$ index=$$orders_index$$ AND (sourcetype=\"NeonConnect:Proxy\" OR sourcetype=\"neonconnect:orderpusher\") AND OrderStatus AND User AND Account"
    </query>
    <earliest>$orderTime.earliest$</earliest>
    <latest>$orderTime.latest$</latest>
    <sampleRatio>1</sampleRatio>
</search>

........................................................................................
Below query is to show Users in drop down
.......................................................................................

        <input type="dropdown" token="tokFilterUser" searchWhenChanged="true">
            <label>Filter on User</label>
            <search base="baseProxySearch">
                <query>
                    | where NOT isnull(User)
                    | dedup User
                    | eval User=lower(User)
                    | dedup User
                    | table User
                    | sort User
                </query>
            </search>
            <fieldForLabel>User</fieldForLabel>
            <fieldForValue>User</fieldForValue>
            <choice value="*">All Users</choice>
            <default>*</default>
        </input>

........................................................................................
Below query is to show Accounts in drop down
.......................................................................................




| where NOT isnull(Account) AND (User="$tokFilterUser$" OR "$tokFilterUser$"="")
| dedup Account
| eval Account=lower(Account)
| dedup Account
| table Account
| sort Account


Account
Account
<choice value="">All Account Names
*

0 Karma

arjunpkishore5
Motivator

What exactly are you trying to achieve with map? Could you provide more details on what you're trying to achieve in the dashboard? There might be an alternative solution to it.

In the meanwhile, for your query, I suspect the metadata is getting altered when results are passed from map. Try enclosing the whole query in map

| makeresults
| map [ search index=neonconnect_dev  sourcetype IN ("NeonConnect:Proxy", "neonconnect:orderpusher")
  | where NOT isnull(Account)
  | table _raw, _time, Account, User]
0 Karma

sheikhazad
New Member

Unfortunately, when I enclose map with [ ] as you suggested, it fails to work. Pls see my dashboard xml in main comment

0 Karma

sheikhazad
New Member

Problem solved but still want answer:

My input source (which is log file) contains a lot of unnecessary data like:

2019-12-06 20:26:54,753 UTC : INFO PC=I, PM=0, PI=0, PR=3
2019-12-06 20:27:24,770 UTC : INFO PC=I, PM=0, PI=0, PR=3

And my log files are kept on updating with these data which DO NOT contain "Account" info which I am looking for.

I changed the query to limit the data in index by adding "AND OrderStatus AND User AND Account" which makes sure that the data contains Account info like:

2019-12-04 17:05:59,026 UTC : INFO User=ASHAH, Account=AShah, AccountId=2, OrderStatus=Unknown, Status=Pending

Old failed query:
| map search="search earliest=$$beginTimeFromMinTime$$ index=$$orders_index$$ AND (sourcetype="NeonConnect:Proxy" OR sourcetype="neonconnect:orderpusher") "

New successful query:
| map search="search earliest=$$beginTimeFromMinTime$$ index=$$orders_index$$ AND (sourcetype="NeonConnect:Proxy" OR sourcetype="neonconnect:orderpusher") AND OrderStatus AND User AND Account"

My question is, how limiting data in Splunk Index solved the problem? Is a lot of data in Splunk Index cause unreliable result?

0 Karma

woodcock
Esteemed Legend

It is almost certainly because you are not using the double-quotes for your sourcetype value. Try this:

| makeresults
| map search="search index=\"X\" AND (sourcetype=\"A:Proxy\" OR sourcetype=\"A:orderpusher\")
| where NOT isnull(Account)
| table _raw, _time, Account, User"

Be aware that this limits both the run-time of your search and the size of your results set.

0 Karma

sheikhazad
New Member

Sadly it doesnt work. Pls see my main comment and I got result when I changed query and still need answers why changing my query works

0 Karma

woodcock
Esteemed Legend

Tell us more about why map is required for my xml dashboard form. I do not believe that is true and the real solution is to NOT use map.

0 Karma

sheikhazad
New Member

I want that all accounts are shown in my dasboard's drop down menu. Without map it doesnt work. Not sure why. I am 1 day old kid in splunk 😞

0 Karma

woodcock
Esteemed Legend

Then let's solve that problem the right way. Trust me: map is not the answer. Show us your dashboard XML.

0 Karma

sheikhazad
New Member

Pls see my dashboard xml in main comment

0 Karma

to4kawa
Ultra Champion
| makeresults
| map search="search index=_internal splunkd"

Hi, @sheikhazad
this query produces results.
I think | where NOT isnull(Account) is evil.

| makeresults
| map search="search index=neonconnect_dev  (sourcetype=NeonConnect:Proxy OR sourcetype=neonconnect:orderpusher)"
| table _raw, _time, Account, User
| search Account!=""

How about this?

0 Karma

sheikhazad
New Member

Sadly it doesnt work. Pls see my main comment and I got result when I changed query and still need answers why changing my query works

0 Karma

sheikhazad
New Member

Correction: In both above queries I use same Index and SourceType (though it seems different in my question)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...