https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398008#M115470 <H2>I tried using the map command in my index but my lookup return is getting messed up also the maxspan is not taking effect. Below is my updated script:</H2> <P>| search Id="*" <BR /> | lookup error_rules.csv EventSubType OUTPUT alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit </P> <P>| table Id PublisherMessage EventSubType PublisherTimestamp alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit <BR /> | map search="search index=* | transaction Id PublisherMessage maxspan=$span_time$"</P> <TABLE><THEAD> <TR> <TH>stats list(PublisherTimestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventSubType) AS EventSubType list(span_time) as SpanTimeLimit list(reoccurrence_threshold_count) AS ReoccurenceThresholdCount list(check_reoccurrence_window_limit) list(duration1) count by Id PublisherMessage _time</TH> </TR> </THEAD><TBODY> </TBODY></TABLE> <HR /> <P>Lookup File:<BR /> EventSubType,alert_type,spam_time,check_reoccurrence_window,reoccurrence_threshold_count,check_reoccurrence_window_limit</P> <P>Failed to Ping Computer,Critical,7m,0,0,0<BR /> Application Error,Warning,5m,0,0,0</P> Tue, 29 Sep 2020 23:28:28 GMT mpaw 2020-09-29T23:28:28Z https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398004#M115466 <P>Hi,</P> <H2>I want to create a dynamic variable containing the span value on my index search. I have a lookup file that has corresponding value then it will lookup to the index search and update the span value. Unfortunately, I cannot get it to work. Any tips/ideas?</H2> <P>Instead of:<BR /> maxspan=7m; span=240m</P> <P>It will be like this:</P> <H2>maxspan=duration1; span=duration1</H2> <P>Here is my script below:<BR /> | search Id="*" <BR /> | lookup error_rules.csv EventSubType as EventSubType OUTPUT alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit <BR /> | eval recorrenceWindow=$span_time$ <BR /> | eval duration=floor($recorrenceWindow$) <BR /> | eval duration1=duration+"m" <BR /> | transaction Id PublisherMessage maxspan=7m <BR /> | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) AS c_time <BR /> | bucket _time span=240m </P> <H2>| stats list(PublisherTimestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventSubType) AS EventSubType list(span_time) as SpanTimeLimit list(reoccurrence_threshold_count) AS ReoccurenceThresholdCount list(check_reoccurrence_window_limit) list(duration1) count by Id PublisherMessage _time</H2> <P>Lookup File:<BR /> EventSubType,alert_type,spam_time,check_reoccurrence_window,reoccurrence_threshold_count,check_reoccurrence_window_limit<BR /> Failed to Ping Computer,Critical,7,0,0,0</P> Tue, 29 Sep 2020 23:21:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398004#M115466 mpaw 2020-09-29T23:21:06Z https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398005#M115467 <P>Define the field upfront and pass it to the map command like this example:</P> <PRE><CODE>| makeresults | eval field="member_guid" | map search="search index=_internal | transaction $field$" </CODE></PRE> Tue, 26 Feb 2019 14:23:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398005#M115467 tiagofbmm 2019-02-26T14:23:05Z https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398006#M115468 <P>Like this:</P> <PRE><CODE>| makeresults | eval maxspan="7m" | map search="search index=_* | transaction host maxspan=$maxspan$" </CODE></PRE> Fri, 01 Mar 2019 06:58:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398006#M115468 woodcock 2019-03-01T06:58:41Z https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398007#M115469 <P>@mpaw please accept an answer if it solved/helped it and upvote it. Otherwise let us know how can we help further</P> Fri, 01 Mar 2019 11:08:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398007#M115469 tiagofbmm 2019-03-01T11:08:55Z https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398008#M115470 <H2>I tried using the map command in my index but my lookup return is getting messed up also the maxspan is not taking effect. Below is my updated script:</H2> <P>| search Id="*" <BR /> | lookup error_rules.csv EventSubType OUTPUT alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit </P> <P>| table Id PublisherMessage EventSubType PublisherTimestamp alert_type span_time check_reoccurrence_window reoccurrence_threshold_count check_reoccurrence_window_limit <BR /> | map search="search index=* | transaction Id PublisherMessage maxspan=$span_time$"</P> <TABLE><THEAD> <TR> <TH>stats list(PublisherTimestamp) AS EventTimeStamp list(sourcetype) AS SourceOfData list(EventSubType) AS EventSubType list(span_time) as SpanTimeLimit list(reoccurrence_threshold_count) AS ReoccurenceThresholdCount list(check_reoccurrence_window_limit) list(duration1) count by Id PublisherMessage _time</TH> </TR> </THEAD><TBODY> </TBODY></TABLE> <HR /> <P>Lookup File:<BR /> EventSubType,alert_type,spam_time,check_reoccurrence_window,reoccurrence_threshold_count,check_reoccurrence_window_limit</P> <P>Failed to Ping Computer,Critical,7m,0,0,0<BR /> Application Error,Warning,5m,0,0,0</P> Tue, 29 Sep 2020 23:28:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-dynamic-assign-variable-to-maxspan-and-span/m-p/398008#M115470 mpaw 2020-09-29T23:28:28Z