Splunk Search

Any example for MAP command

ma_anand1984
Contributor

Can i have a sample of MAP command?
Please give sample events and final outputs also.
I'm not able to understand doc provided by splunk.

Tags (3)
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help.

So I have a search (let's call it SRCH_1) "sourcetype=syslog sudo|stats count by user host"
This returns a table such as:

userhostcount
user1server11
user3server13
user1server32

Right after SRCH_1, we will pipe, and then add the map command (SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon". This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish):

_timecomputernamecomputertimeusernameusertime
10/12/12 8:31:35.00 AMADMIN28-H$10/12/2012 08:25:42user110/12/2012 08:31:35 AM

What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event.

EDIT:
Here is the complete search:

sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help.

So I have a search (let's call it SRCH_1) "sourcetype=syslog sudo|stats count by user host"
This returns a table such as:

userhostcount
user1server11
user3server13
user1server32

Right after SRCH_1, we will pipe, and then add the map command (SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon". This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish):

_timecomputernamecomputertimeusernameusertime
10/12/12 8:31:35.00 AMADMIN28-H$10/12/2012 08:25:42user110/12/2012 08:31:35 AM

What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event.

EDIT:
Here is the complete search:

sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

rtadams89
Contributor

What is the advantage of this over using a "join" command:

sourcetype=syslog sudo | stats count by user host | join user [ search index=ad_summary type_logon=ad_last_logon username=* | rename username AS user]

manish_singh_77
Builder

Hi Alacercogitatus,

Can we use map command to pass variable value in rest end point?

koenV
Explorer

Hi @manish_singh_777,

I'm not sure what you mean but I think you might want to take a look at working with Splunk using XML and the APIs?

0 Karma

koenV
Explorer

There is not necessarily an advantage. Especially for large 'outer' searches the map command is very slow (and so is join - your example could also be done using stats only).
However, keep in mind that the map function returns only the results from the search specified in the map command, whereas a join will return results from both searches.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...