Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Map with inputlookup not working

nsraoch1975
New Member
‎01-24-2018 07:13 AM

I have a dataset 1 like:
VID
A212
A213
B151
B153

Dataset 2 like:
QID Solution
2145 text contains A212
2155 text contains B151
2157 text contains A212
2855 text contains B151

Wanted output like:
VID QID Solution -> for all matching cases

I tried the following search for a single item search and it is working fine

|from inputlookup:"dataset1" |where like(vid,"%A212%")|stats values(vid) as vid
|map [|from inputlookup:"dataset2" |where like(Solution,"%".$vid$."%") |Table QID,Solution]

But when the main search returns multiple values, it is not working - shows no results.

|from inputlookup:"dataset1" |where like(vid,"%A%")|stats values(vid) as vid
    |map [|from inputlookup:"dataset2" |where like(Solution,"%".$vid$."%") |Table QID,Solution]

What am i doing wrong here ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-24-2018 10:04 AM

The map command will, by default, only take the first ten values. If you'd like it to look at more than ten, you need to use the maxsearches flag, like: | map maxsearches=100 [...]. You can also use maxsearches=0 to have no limit. However, I'd avoid using map for this, because you can restructure this to not use map at all, and doing so will launch a new search for every result from the base search - a very inefficient way to find what you're looking for. See if this restructured query will give you what you're looking for:

| inputlookup dataset2 where 
[ | inputlookup dataset1 where vid="*A212*"
   | eval vid="*".vid."*"
   | stats values(vid) AS vid 
   | format ]

This restructured query takes the values from dataset1, reformats them with wildcards, and uses them as a search filter for dataset2.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎01-24-2018 10:04 AM

The map command will, by default, only take the first ten values. If you'd like it to look at more than ten, you need to use the maxsearches flag, like: | map maxsearches=100 [...]. You can also use maxsearches=0 to have no limit. However, I'd avoid using map for this, because you can restructure this to not use map at all, and doing so will launch a new search for every result from the base search - a very inefficient way to find what you're looking for. See if this restructured query will give you what you're looking for:

| inputlookup dataset2 where 
[ | inputlookup dataset1 where vid="*A212*"
   | eval vid="*".vid."*"
   | stats values(vid) AS vid 
   | format ]

This restructured query takes the values from dataset1, reformats them with wildcards, and uses them as a search filter for dataset2.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...