topic Re: How to pass values from previous search into map search in Splunk Search

How to pass values from previous search into map search

rlippincott — Thu, 10 Oct 2019 17:18:42 GMT

Hello all, my search is below:

index=tcxelevate_webpos registerType=kioskBridge registerNbr=* countryCode=US tagName=CLIENT_INITIALIZATION enterpriseId=prod storeId=* storeId!=4184 AND storeId!=0001 
| eval regNbr=registerNbr | eval storeNbr=storeId 
| spath output="Store" "storeId" 
| spath output="Country" "countryCode" 
| spath output="Lane" "registerNbr" 
| spath output="Time" "timestamp" 
| spath output="Reloads" "tagName" 
| localize timebefore=5m 
| map search="search index=tcxelevate_webpos registerType=kioskBridge registerNbr= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$starttime$ latest=$endtime$" 
| spath output="Command" "command" 
| eval request=case(true(), "debug") 
| eval response=case(true(), "debug") 
| stats values(Country) as Country, latest(Command) as Command, latest(request) as Request, latest(response) as Response, values(Reloads) as Reloads by Store, Lane, Time 
| table Time, Reloads, Command, Request, Response, Store, Lane, Country

As you can see. I am trying to strip the register number from the first search into spath

From there, I am trying to do a map search on all events that are pulled from the main search.

In the map search. I try to set registerNbr equal to the variable I made with the spath.

I am just trying to take the value for registerNbr from the first search, and store it. and refer to it later in my map search to narrow down the search.

Any assistance?

P.S. ignore my eval's with case statements. I haven't filled those out yet, but have working code that I will put in there after I am done testing to see if I can get the map search to work as I want it to.

Re: How to pass values from previous search into map search

dmarling — Thu, 10 Oct 2019 20:50:28 GMT

Do you mind editing your question and re-posting your query, but using the code sample box so the formatting is protected? Your query is getting roughed up a bit due to some escaping happening unintentionally with astericks. I believe this is your query but feel free to correct me:

index=tcxelevate_webpos registerType=kioskBridge registerNbr=* countryCode=US tagName=CLIENT_INITIALIZATION enterpriseId=prod storeId=* storeId!=4184 AND storeId!=0001 
| eval regNbr=registerNbr 
| eval storeNbr=storeId 
| spath output="Store" "storeId" 
| spath output="Country" "countryCode" 
| spath output="Lane" "registerNbr" 
| spath output="Time" "timestamp" 
| spath output="Reloads" "tagName" 
| localize timebefore=5m 
| map search="search index=tcxelevate_webpos registerType=kioskBridge registerNbr= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$starttime$ latest=$endtime$" 
| spath output="Command" "command" 
| eval request=case(true(), "debug") 
| eval response=case(true(), "debug") 
| stats values(Country) as Country, latest(Command) as Command, latest(request) as Request, latest(response) as Response, values(Reloads) as Reloads by Store, Lane, Time 
| table Time, Reloads, Command, Request, Response, Store, Lane, Country

Re: How to pass values from previous search into map search

richgalloway — Thu, 10 Oct 2019 20:50:45 GMT

To refer to a field within map, put the name of the field inside $. Tokens passed into the search are referred to using double $.

... | map search="search index=tcxelevate_webpos registerType=kioskBridge $registerNbr$= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$$starttime$$ latest=$$endtime$$"