topic Re: Get main search resulting events in the output when using map command in Splunk Search

Get main search resulting events in the output when using map command

mevcloud — Wed, 23 Apr 2014 10:31:01 GMT

I have the following search pipeline

search field1=xxxx | map search="search field2=yyyy field3=$file2$"

When I run it I only get as output the results from "search field2=yyyy field3=$file2$" for each result in the main search. Is it somehow possible to get in the output the events resulting from "search field1=xxxx" too without having to append them like this?

search field1=xxxx | map search="search field2=yyyy field3=$file2$" | append [ search field1=xxxx ]

Re: Get main search resulting events in the output when using map command

martin_mueller — Wed, 23 Apr 2014 13:54:40 GMT

What's your use case?

Re: Get main search resulting events in the output when using map command

mevcloud — Thu, 24 Apr 2014 08:59:20 GMT

My use case is the following one: I have to find a request and its matching response. Both the request and the response are xml messages. The response has an element called "MessageID" that contains a value that matches the value of another element called "RelatesTo" in the response. In the main search I look for the particular request I am looking for and extract the MessageID value using the rex command. I then using that $messageId$ in the map search to find the response. The problem is that using that I only get the response in the output and not the request.

Re: Get main search resulting events in the output when using map command

martin_mueller — Thu, 24 Apr 2014 10:39:37 GMT

I see... the most intuitive way would be to either use join:

search for requests | do some extracting to get a field called MessageID | join MessageID [search for responses | do some extracting to get a field called MessageID]

or to use transaction:

search for requests OR responses | do some extracting on each to get a field called MessageID in both types of events | transaction MessageID

Depending on your reporting after that, you may also be able to use stats instead of transaction like this:

 search for requests OR responses | do some extracting on each to get a field called MessageID in both types of events | stats some(reporting) as stuff by MessageID

Re: Get main search resulting events in the output when using map command

mevcloud — Thu, 24 Apr 2014 12:53:41 GMT

I had already tried the join exactly they way you mentioned in the answer and using it I am only getting the events on the left size (request) when there is a match and not both, as I would have expect from the description of the command.

Re: Get main search resulting events in the output when using map command

martin_mueller — Thu, 24 Apr 2014 13:00:10 GMT

You are getting fields from both sources. Don't use the event viewer tab to judge whether a join was successful, rather append a table field1 field2 ... and see if you're getting fields from both sources.

The raw text of an event is just another field (_raw), so its behaviour after a join may not be as intuitively expected.

Re: Get main search resulting events in the output when using map command

somesoni2 — Thu, 24 Apr 2014 14:47:42 GMT

Use join option "type=left" to get unmatched requests.