https://community.splunk.com/t5/Splunk-Search/Understanding-map-command/m-p/465410#M131116 <P>I am banging my head trying to understand the <CODE>map</CODE> command and how it works. I have one search that returns values:</P> <P>index=offers sourcetype=offer producttype=* earliest=-5m latest=now <BR /> | stats count by producttype<BR /> | table producttype</P> <P>This gives me the a set of data. So far so good.<BR /> |producttype|<BR /> 1<BR /><BR /> 3<BR /> 9<BR /> 12</P> <P>What I thought <CODE>map</CODE> did was to pass these $productID$ values to the 'mapped query and run it up to maxsearches time (in this case 4). So my next line was :</P> <P>map maxsearches=4 search = "index=offers sourcetype=offer producttype=$producttype$ earliest=-5m latest=now <BR /> | timechart ...some stuff... <BR /> | blah blah<BR /> | etc.... "</P> <P>I get no results found. (This is a simplified version of my search and the foreach is not going to be an option with my final goal). What am I failing to understand? Thank you in advance!</P> Wed, 23 Oct 2019 23:15:23 GMT mtrochym 2019-10-23T23:15:23Z https://community.splunk.com/t5/Splunk-Search/Understanding-map-command/m-p/465410#M131116 <P>I am banging my head trying to understand the <CODE>map</CODE> command and how it works. I have one search that returns values:</P> <P>index=offers sourcetype=offer producttype=* earliest=-5m latest=now <BR /> | stats count by producttype<BR /> | table producttype</P> <P>This gives me the a set of data. So far so good.<BR /> |producttype|<BR /> 1<BR /><BR /> 3<BR /> 9<BR /> 12</P> <P>What I thought <CODE>map</CODE> did was to pass these $productID$ values to the 'mapped query and run it up to maxsearches time (in this case 4). So my next line was :</P> <P>map maxsearches=4 search = "index=offers sourcetype=offer producttype=$producttype$ earliest=-5m latest=now <BR /> | timechart ...some stuff... <BR /> | blah blah<BR /> | etc.... "</P> <P>I get no results found. (This is a simplified version of my search and the foreach is not going to be an option with my final goal). What am I failing to understand? Thank you in advance!</P> Wed, 23 Oct 2019 23:15:23 GMT https://community.splunk.com/t5/Splunk-Search/Understanding-map-command/m-p/465410#M131116 mtrochym 2019-10-23T23:15:23Z https://community.splunk.com/t5/Splunk-Search/Understanding-map-command/m-p/465411#M131117 <P>What are you trying to accomplish with the <CODE>map</CODE> command? I've rarely run into a case where I need it over different commands</P> Wed, 23 Oct 2019 23:23:20 GMT https://community.splunk.com/t5/Splunk-Search/Understanding-map-command/m-p/465411#M131117 aberkow 2019-10-23T23:23:20Z https://community.splunk.com/t5/Splunk-Search/Understanding-map-command/m-p/465412#M131118 <P>@aberkow makes a good point. <CODE>map</CODE> is powerful, but costly and there often are other ways to accomplish the task. Try a subsearch.<BR /> In this example, the query within brackets (the subsearch) fetches your product types. Change the argument to <CODE>head</CODE> to return the desired number of producttype values. The results of the subsearch become part of the main search, like <CODE>index=offers sourcetype=offers (producttype=1 OR producttype=3 OR producttype=9 OR producttype=12)) earliest=-5m ...</CODE>.</P> <PRE><CODE>index=offers sourcetype=offer [index=offers sourcetype=offer producttype=* earliest=-5m latest=now | stats count by producttype | head 4 | fields producttype | format ] earliest=-5m latest=now | timechart ...some stuff... | blah blah | etc.... </CODE></PRE> Thu, 24 Oct 2019 04:19:24 GMT https://community.splunk.com/t5/Splunk-Search/Understanding-map-command/m-p/465412#M131118 richgalloway 2019-10-24T04:19:24Z https://community.splunk.com/t5/Splunk-Search/Understanding-map-command/m-p/465413#M131119 <P>You are missing the <CODE>search</CODE> operator just inside of the double-quotes; like this:</P> <PRE><CODE>index=offers sourcetype=offer producttype=* earliest=-5m latest=now | stats count by producttype | map maxsearches=4 search="search index=offers sourcetype=offer producttype=$producttype$ earliest=-5m latest=now | timechart ...some stuff... | blah blah | etc.... " </CODE></PRE> Fri, 25 Oct 2019 23:58:03 GMT https://community.splunk.com/t5/Splunk-Search/Understanding-map-command/m-p/465413#M131119 woodcock 2019-10-25T23:58:03Z https://community.splunk.com/t5/Splunk-Search/Understanding-map-command/m-p/465414#M131120 <P>The <CODE>subsearch</CODE> way seems to work but it is not documented as supported for a very good reason that is fairly complicated; You should stick to using <CODE>double-quotes</CODE>. See my answer.</P> Fri, 25 Oct 2019 23:59:10 GMT https://community.splunk.com/t5/Splunk-Search/Understanding-map-command/m-p/465414#M131120 woodcock 2019-10-25T23:59:10Z