topic MAP command in splunk in Splunk Search

MAP command in splunk

arjitgoswami — Thu, 25 May 2017 05:56:52 GMT

Hi Team, I am having a difficulty in understanding map command. In the below commands, we need to extract work order ID from one sourcetype and using that, I need to extract sessionid corresponding to that work order ID.

sourcetype=XYZ QI-*|rex "FINISH:\sWO\sID\sis\s\s(?[^\s]+)"|stats values(WOID) as WOID|map search="search sourcetype=ABC val=$WOID$|stats values(sessionid)"

When I just using one Work order (QI-12345) I am getting the result. But when I am using QI-* (which has 6 such work order ID) , I am not able to get results. Could you please help?

Thanks ,
Arjit.

Re: MAP command in splunk

dineshraj9 — Thu, 25 May 2017 06:41:12 GMT

You have to pass values one by one to the map search command. Try something like this -

sourcetype=pega17052017n QI-*|rex "UWCChange\sStage\sFINISH:\sWO\sID\sis\s\s(?[^\s]+)"|dedup WOID | table WOID |map search="search sourcetype=QI-535653 val=$WOID$|stats values(sessionid) "

Re: MAP command in splunk

woodcock — Thu, 25 May 2017 12:20:36 GMT

Try this:

sourcetype="pega17052017n" QI-535653 OR QI-535654|stats values(WOID) as val
| table val
| map maxsearches=10 search="search sourcetype=\"QI-535653\" QI-* val=$val$|stats values(sessionid) by val"

Re: MAP command in splunk

arjitgoswami — Fri, 26 May 2017 08:26:49 GMT

Thanks @niketnilay ! adding stats count by WOID helped to send single valued result to map command. It looks like only count function (and not stats(values) or table command) is sending single values data to map command

Re: MAP command in splunk

niketn — Fri, 26 May 2017 08:44:38 GMT

@arjitgoswami, you r base search is returning multi-value result. Try the following:

 sourcetype="pega17052017n" QI-535653 OR QI-535654
 | stats count by WOID
 | rename WOID as val
 | table val
 | map search="search sourcetype=\"QI-535653\" QI-* val=$val$
                           | stats values(sessionid) by val" maxsearches=10

Re: MAP command in splunk

niketn — Fri, 26 May 2017 08:46:19 GMT

Hi @arjitgoswamy, since it was a duplicate thread (https://answers.splunk.com/answers/542641/map-command-in-splunk.html), where I had answered your question, I have pasted my comment here as an answer. Please accept to mark this as closed.