Hi splunk fellows, Struggling a bit with the map command I never used before : | inputlookup myfile1.csv | append [| inputlookup myfile2.csv ] | where status!="H" | eventstats dc(status) as status_cnt by site_code | where status_cnt=1 and status="C" | table site_code --> until here everything looks fine | map search="|inputlookup myfile1.csv | where site_code=$site_code$" don't try too much to make sense out of it as I simplified the query but basically I'm filtering out events to get the ones I'm interested in and I create a table containing my site_code values. So far so good. Now I would like to use these values to select some specific entries in my lookup table with the map command but I'm not getting any results. It seems the $site_code$ variable is not filled in properly. Any advice ? Thank you ... View more

Hi, I'm trying to build a mechanism to pre-define a set of fields in my searches. The mechanism normally uses a macro and a lookup table to create a list of fields and this part is working fine. The problem is that it seems the "fields" command can't use my list correctly. For instance: index="main" | eval myfieldslist="host,sourcetype,source" | fields $myfieldslist$ That looks good to me but it only shows the _time field which means the "fields" command does consider the string "host,sourcetype,source" as a unique value and not as a list of values. I tried different things but I can't make it work. Any help would be appreciated Thank you ... View more