Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Any example for MAP command

ma_anand1984
Contributor
‎10-12-2012 03:25 AM

Can i have a sample of MAP command?
Please give sample events and final outputs also.
I'm not able to understand doc provided by splunk.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-12-2012 06:09 AM

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help.

So I have a search (let's call it SRCH_1) "sourcetype=syslog sudo|stats count by user host"
This returns a table such as:

userhostcount
user1server11
user3server13
user1server32

Right after SRCH_1, we will pipe, and then add the map command (SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon". This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish):

_timecomputernamecomputertimeusernameusertime
10/12/12 8:31:35.00 AMADMIN28-H$10/12/2012 08:25:42user110/12/2012 08:31:35 AM

What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event.

EDIT:
Here is the complete search:

sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

View solution in original post

Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎10-12-2012 06:09 AM

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help.

So I have a search (let's call it SRCH_1) "sourcetype=syslog sudo|stats count by user host"
This returns a table such as:

userhostcount
user1server11
user3server13
user1server32

Right after SRCH_1, we will pipe, and then add the map command (SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon". This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish):

_timecomputernamecomputertimeusernameusertime
10/12/12 8:31:35.00 AMADMIN28-H$10/12/2012 08:25:42user110/12/2012 08:31:35 AM

What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event.

EDIT:
Here is the complete search:

sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

Reply
Solved! Jump to solution

rtadams89
Contributor
‎05-23-2014 01:05 PM

What is the advantage of this over using a "join" command:

sourcetype=syslog sudo | stats count by user host | join user [ search index=ad_summary type_logon=ad_last_logon username=* | rename username AS user]

Reply
Solved! Jump to solution

manish_singh_77
Builder
‎06-21-2018 11:16 PM

Hi Alacercogitatus,

Can we use map command to pass variable value in rest end point?

Reply
Solved! Jump to solution

koenV
Explorer
‎06-22-2018 12:31 AM

Hi @manish_singh_777,

I'm not sure what you mean but I think you might want to take a look at working with Splunk using XML and the APIs?

0 Karma
Reply
Solved! Jump to solution

koenV
Explorer
‎05-01-2018 04:23 AM

There is not necessarily an advantage. Especially for large 'outer' searches the map command is very slow (and so is join - your example could also be done using stats only).
However, keep in mind that the map function returns only the results from the search specified in the map command, whereas a join will return results from both searches.

Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top