Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Any example for MAP command

ma_anand1984
Contributor
‎10-12-2012 03:25 AM

Can i have a sample of MAP command?
Please give sample events and final outputs also.
I'm not able to understand doc provided by splunk.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-12-2012 06:09 AM

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help.

So I have a search (let's call it SRCH_1) "sourcetype=syslog sudo|stats count by user host"
This returns a table such as:

userhostcount
user1server11
user3server13
user1server32

Right after SRCH_1, we will pipe, and then add the map command (SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon". This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish):

_timecomputernamecomputertimeusernameusertime
10/12/12 8:31:35.00 AMADMIN28-H$10/12/2012 08:25:42user110/12/2012 08:31:35 AM

What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event.

EDIT:
Here is the complete search:

sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-12-2012 06:09 AM

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help.

So I have a search (let's call it SRCH_1) "sourcetype=syslog sudo|stats count by user host"
This returns a table such as:

userhostcount
user1server11
user3server13
user1server32

Right after SRCH_1, we will pipe, and then add the map command (SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon". This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish):

_timecomputernamecomputertimeusernameusertime
10/12/12 8:31:35.00 AMADMIN28-H$10/12/2012 08:25:42user110/12/2012 08:31:35 AM

What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event.

EDIT:
Here is the complete search:

sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

Reply
Solved! Jump to solution

rtadams89
Contributor
‎05-23-2014 01:05 PM

What is the advantage of this over using a "join" command:

sourcetype=syslog sudo | stats count by user host | join user [ search index=ad_summary type_logon=ad_last_logon username=* | rename username AS user]

Reply
Solved! Jump to solution

manish_singh_77
Builder
‎06-21-2018 11:16 PM

Hi Alacercogitatus,

Can we use map command to pass variable value in rest end point?

Reply
Solved! Jump to solution

koenV
Explorer
‎06-22-2018 12:31 AM

Hi @manish_singh_777,

I'm not sure what you mean but I think you might want to take a look at working with Splunk using XML and the APIs?

0 Karma
Reply
Solved! Jump to solution

koenV
Explorer
‎05-01-2018 04:23 AM

There is not necessarily an advantage. Especially for large 'outer' searches the map command is very slow (and so is join - your example could also be done using stats only).
However, keep in mind that the map function returns only the results from the search specified in the map command, whereas a join will return results from both searches.

Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top