Archive

Passing a multivalued field into a map command token

Motivator

Forgoing a conversation about efficiency I'm trying to essentially pass a multi value field into a map command in a way that mimics what you might see by using the | format command. Granted the format command is used for seeing what is passed to a parent search from a subsearch.

In this case let's say I have a search like

| tstats count WHERE sourcetype=some_sourcetype BY sourcetype index | stats values(index) as index by sourcetype

If I add | format at the end of that search I end up with what I'm trying to push to the map command index="foo" OR index="bar" AND sourcetype="some_sourcetype". For my usecase I don't want to have separate queries spawned by the map command for each index and sourcetype pair. I also really am trying to spawn a search for each sourcetype vs passing the data up as one big ORed subsearch result. I'm not married to values() but I used it to combine multiple results into one field so that each sourcetype from the original search would have its own line/event. What I'm trying to get to is something like

| tstats count WHERE sourcetype=some_sourcetype BY sourcetype index | stats values(index) as index by sourcetype | map [search <insert sourcetype> AND <insert index(es)> | ... ]

You can pass sourcetype easy enough ( sourcetype=$sourcetype$) but after trying a number of ways to doctor the index name string I'm passing down I've not had any luck. It doesn't appear like you can simply drop a token in the spawned query like you might in a dashboard. Part of the issue I'm having is when you look at the job inspector you don't see what the spawned query actually looks like.

I sure would be interested in any thoughts.

Tags (1)
0 Karma
1 Solution

Champion

What about going the other way with it? instead of trying to push the indexes down to the map function, how about trying to generate the indexes in the map function with a subsearch. Maybe something like this?

  ...  | map search="search sourcetype=$sourcetypes$ [| tstats count where sourcetype=$sourcetype$ by index| fields index]"

View solution in original post

0 Karma

Champion

What about going the other way with it? instead of trying to push the indexes down to the map function, how about trying to generate the indexes in the map function with a subsearch. Maybe something like this?

  ...  | map search="search sourcetype=$sourcetypes$ [| tstats count where sourcetype=$sourcetype$ by index| fields index]"

View solution in original post

0 Karma

Motivator

I think that was the key! I generally have used the subsearch type format for map and always forget to put "search=". My initial efforts down this path earlier today were unsuccessful. This seems to be working though not sure if it will ultimately be more efficient than simply running one big honking search without the map command

... | map maxsearches=900 search="search earliest=-5m [| tstats count WHERE sourcetype="$sourcetype$" BY sourcetype index | fields sourcetype index] |...
0 Karma