As in object, it's a strange behaviour, i can't use an IN clausole with host field in a map search.
Here's my search,
|inputlookup list.csv|where tag="locals"
|map maxsearches=50 search="search index=* host IN($hostnames$) source=$source$|table host,source"
First line works, all fields are passed to map (i also tried a display fields in the map search, and all fields are ok).
Second line, the map, does not work with IN clausole and "hostnames" fields with more than 1 host.
***list.csv***
NOT WORKING
tag hostnames source
locals host1,host2 /tmp/*logs
locals host1,host2 /tmp/*TXT
locals host1,host2 /tmp/*json
WORKING
tag hostnames source
locals host1 /tmp/*logs
locals host2 /tmp/*logs
locals host1 /tmp/*TXT
locals host2 /tmp/*TXT
locals host1 /tmp/*json
locals host2 /tmp/*json
I also tried a
host IN(*$hostnames$*)
but this is like an IN(**), variable seems to be null, but i can display if i try a
|makeresults|eval host=$hostnames$|table host
Why?
Suggestions?
↧