Splunk Search

Any example for MAP command

ma_anand1984
Contributor

Can i have a sample of MAP command?
Please give sample events and final outputs also.
I'm not able to understand doc provided by splunk.

Tags (3)
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help.

So I have a search (let's call it SRCH_1) "sourcetype=syslog sudo|stats count by user host"
This returns a table such as:

userhostcount
user1server11
user3server13
user1server32

Right after SRCH_1, we will pipe, and then add the map command (SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon". This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish):

_timecomputernamecomputertimeusernameusertime
10/12/12 8:31:35.00 AMADMIN28-H$10/12/2012 08:25:42user110/12/2012 08:31:35 AM

What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event.

EDIT:
Here is the complete search:

sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help.

So I have a search (let's call it SRCH_1) "sourcetype=syslog sudo|stats count by user host"
This returns a table such as:

userhostcount
user1server11
user3server13
user1server32

Right after SRCH_1, we will pipe, and then add the map command (SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon". This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish):

_timecomputernamecomputertimeusernameusertime
10/12/12 8:31:35.00 AMADMIN28-H$10/12/2012 08:25:42user110/12/2012 08:31:35 AM

What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event.

EDIT:
Here is the complete search:

sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

rtadams89
Contributor

What is the advantage of this over using a "join" command:

sourcetype=syslog sudo | stats count by user host | join user [ search index=ad_summary type_logon=ad_last_logon username=* | rename username AS user]

manish_singh_77
Builder

Hi Alacercogitatus,

Can we use map command to pass variable value in rest end point?

koenV
Explorer

Hi @manish_singh_777,

I'm not sure what you mean but I think you might want to take a look at working with Splunk using XML and the APIs?

0 Karma

koenV
Explorer

There is not necessarily an advantage. Especially for large 'outer' searches the map command is very slow (and so is join - your example could also be done using stats only).
However, keep in mind that the map function returns only the results from the search specified in the map command, whereas a join will return results from both searches.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...