topic Re: Any example for MAP command in Splunk Search

Any example for MAP command

ma_anand1984 — Fri, 12 Oct 2012 10:25:13 GMT

Can i have a sample of MAP command?
Please give sample events and final outputs also.
I'm not able to understand doc provided by splunk.

Re: Any example for MAP command

alacercogitatus — Fri, 12 Oct 2012 13:09:41 GMT

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help.

So I have a search (let's call it SRCH_1) "sourcetype=syslog sudo|stats count by user host"
This returns a table such as:

user	host	count
user1	server1	1
user3	server1	3
user1	server3	2

Right after SRCH_1, we will pipe, and then add the map command (SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon". This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish):

_time	computername	computertime	username	usertime
10/12/12 8:31:35.00 AM	ADMIN28-H$	10/12/2012 08:25:42	user1	10/12/2012 08:31:35 AM

What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event.

EDIT:
Here is the complete search:

sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

Re: Any example for MAP command

rtadams89 — Mon, 28 Sep 2020 16:43:09 GMT

What is the advantage of this over using a "join" command:

sourcetype=syslog sudo | stats count by user host | join user [ search index=ad_summary type_logon=ad_last_logon username=* | rename username AS user]

Re: Any example for MAP command

koenV — Tue, 01 May 2018 11:23:50 GMT

There is not necessarily an advantage. Especially for large 'outer' searches the map command is very slow (and so is join - your example could also be done using stats only).
However, keep in mind that the map function returns only the results from the search specified in the map command, whereas a join will return results from both searches.

Re: Any example for MAP command

manish_singh_77 — Fri, 22 Jun 2018 06:16:32 GMT

Hi Alacercogitatus,

Can we use map command to pass variable value in rest end point?

Re: Any example for MAP command

koenV — Tue, 29 Sep 2020 20:07:33 GMT

Hi @manish_singh_777,

I'm not sure what you mean but I think you might want to take a look at working with Splunk using XML and the APIs?