Well, you can solve the current problem with a simple `fillnull`:
index=myIndex value1!=True
| stats count by siteID
| fillnull value="" siteID
| map [search index=myIndex earliest=-2d value2!=True siteID=$siteID$
| stats latest(_time) as lastContact by siteID, siteName, region, siteType]
That will eliminate the errors for the search code as it is currently written.
However, I strongly suspect there is a better way to structure this code so that it's not using `map` here at all, especially if (as the snippet suggests), your map search is iterating over the same indexed data as the primary search that feeds it. Without any other context, my intuition is that you're finding `siteID` values in the primary search from a different time window than the one you're using in your mapped subsearch. And I can totally relate to the desire to structure code like this, but it's actually not the efficient way to do things in Splunk. If you'd like help re-writing this so that your search is more efficient and less brittle, feel free to post more details (either here in response to my post, or in a new "How do I make this search more efficient?"-type post).
But, as an FYI, if you decide to stick with `map` on this - you'll want to add `maxsearches=x` where `x` is the maximum number of iterations you want that map command to run. If you want to live dangerously and allow it to run for as many `siteID` values as the primary search finds, you can use `maxsearches=0`. If you don't specify a value for this attribute, the map command will max out at 10 iterations of the subsearch.
↧