Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error in use of 'map' search command

kevintelford
Path Finder
‎11-29-2010 08:44 PM

I have a sourcetype called sourcetype1 that contains the following three events:

foo=a
foo=b
foo=c

I then have a sourcetype called sourcetype2 that contains the following 4 events:

bar=x, othervalue=4
bar=y, othervalue=3
bar=z, othervalue=2
bar=a, othervalue=1

If I do the simple search 

index=myindex sourcetype=sourcetype1 | fields foo

I get back the expected 3 events: a, b, c.

I then try to use the map command

index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=$foo$"

and I get the error

[SimpleResultsTable module] Server reported HTTP status=400 while getting mode=results Error in 'map' command: Unable to run query 'search index=index2 bar=a'.

which makes me sad.

To further my confusion if I try a search just to get some different results

index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=x"

I end up the results

a
b
c

which acts as if the subsearch never occurred. Any thoughts?

Thanks,

Kevin

Tags (3)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-29-2010 11:29 PM

Is all the search and indexing on one Splunk instance, or do you have multiple indexers and/or a separate search head? Until 4.2, the map command will not issue searches in distributed mode. Also, I believe that unless you specify otherwise, the maxsearches option to the map command defaults to 1, so you should set that higher.

Also, I'm assuming you're replacing real terms with foo and bar and a and b etc., but the error you get is usually because the search you've constructed is syntactically invalid. Try perhaps putting quotes around the argument: 

... | map search="search index=index2 bar=\"$foo$\""
Reply

araitz
Splunk Employee
Splunk Employee
‎09-26-2011 11:36 PM

Better late than clever 😛

0 Karma
Reply

carasso
Splunk Employee
Splunk Employee
‎09-26-2011 03:11 PM

Map has been fixed for 4.2.4

Reply

Glenn
Builder
‎12-24-2010 12:10 PM

I second the claim that this doesn't work. I only get the results from the original search, which is annoying as otherwise this would be a very useful command.

The only time I have ever see this actually work as claimed is when invoking after a "| metadata" search, and then using map to iterate over hosts as suggested here: http://answers.splunk.com/questions/8175/iterate-a-search-over-a-collection-of-variables

Are the results that come back from a metadata search different from normal events?

I guess I will log a case about it.

0 Karma
Reply

araitz
Splunk Employee
Splunk Employee
‎12-01-2010 04:46 AM

Yeah, ummm, I've never had much (okay, ANY) success with the map command. I would recommend using the python API that Splunk ships with to automate this.

0 Karma
Reply

kevintelford
Path Finder
‎11-30-2010 06:04 PM

@gkanapathy,

Good call on the quotes around $foo$. Single quotes work as well. I also added maxsearches. So that fixes the error I was getting. Running the fixed syntax still yields me with the 3 results that the initial search produces. Its as if the map command isn't being run at all.

Right now I'm running this command against a single index, multiple sourcetypes (which differs from above, I'll update to reflect), on a single Splunk instance.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...