Alerting

Map command breaks when scheduled

Joshua
Explorer

I am running a custom python search command for custom alerting from Splunk which takes variables from the search query and using the map command to feed the set variables into the script.

I'll use the sendemail command as an example;

host="myserver" "OutOfMemory" | map search="| sendemail to="test@test.com" subject=$host$ server="mailhost""

This works perfectly when run directly via the GUI search, however if I turn this into a ScheduledSearch using the same query it doesn't work. Splunk logs will indicate that it ran succesfully and didnt encounter any exceptions however my email does not get sent.

By turning the sendemail function to echo the output into a text file I can see that nothing happens either. What gets interesting is that if I replace $host$ with "myservername" and dont use any $variables$ it works!

I have tried escaping the strings passed to the python script directly within the script when extracting the variables though it has no affect.

subject=\"\'$host$\'\" 

By double quoting the above it still works via the GUI, though when scheduled my email sends but with subject as inner quotes - \'\'

Indicating that the variable is either not being transformed or is replaced with nothing.

I have tried placing the entire search query again within the sub map search with no affect either...

Any suggestions would be great, otherwise I'll have to raise a support case.

Note: This is on a windows server.

1 Solution

carasso
Splunk Employee
Splunk Employee

Your quoting is wrong for the map command. Try using the subsearch syntax.
e.g.

| map [ sendemail to="test@test.com" subject=$host$ server="mailhost"]

See:

http://splunk-base.splunk.com/answers/27012/whats-wrong-with-this-map-search-command

View solution in original post

s_n
Engager

Old topic but someone may find it via google looking for a solution.
For me saved search with map command, to which $variable$ is passed worked in the following way...

savedsearch_1:

foo | map savedsearch_2 var1=$var1$ var2=$var2$

savedsearch_2:

search bar | where var1=$var1$ var2=$var2$ | head 1

Trying different syntax like:

    foo | map search="search bar | where var1=\"$var1\" var2=\"var2\" | head 1"

worked well in interactive search but on saved and scheduled the variables weren't passed to the map command so the search always was returning no results.

traugust
Explorer

Thanks a lot for sharing this approach! It helped me out and I can confirm that it worked for me as solution for the above problem.

0 Karma

tysonstewart
Path Finder

Just wanted to highlight the fact that the key here is saving a search for the map command to use. Variable names inside a string disappear when run by the scheduler.

0 Karma

carasso
Splunk Employee
Splunk Employee

Your quoting is wrong for the map command. Try using the subsearch syntax.
e.g.

| map [ sendemail to="test@test.com" subject=$host$ server="mailhost"]

See:

http://splunk-base.splunk.com/answers/27012/whats-wrong-with-this-map-search-command

Joshua
Explorer

Workaround developed until a resolution for this method is found.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...