Solved: Any example for MAP command

ma_anand1984 · ‎10-12-2012

Can i have a sample of MAP command?
Please give sample events and final outputs also.
I'm not able to understand doc provided by splunk.

alacercogitatus · ‎10-12-2012

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help.

So I have a search (let's call it SRCH_1) "sourcetype=syslog sudo|stats count by user host"
This returns a table such as:

user	host	count
user1	server1	1
user3	server1	3
user1	server3	2

Right after SRCH_1, we will pipe, and then add the map command (SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon". This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish):

_time	computername	computertime	username	usertime
10/12/12 8:31:35.00 AM	ADMIN28-H$	10/12/2012 08:25:42	user1	10/12/2012 08:31:35 AM

What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event.

EDIT:
Here is the complete search:

sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

View solution in original post

alacercogitatus · ‎10-12-2012

Map is like a foreach iterator. It will take each "result" of a previous search, and perform the map search that many times with the specified map search. An example might help.

So I have a search (let's call it SRCH_1) "sourcetype=syslog sudo|stats count by user host"
This returns a table such as:

user	host	count
user1	server1	1
user3	server1	3
user1	server3	2

Right after SRCH_1, we will pipe, and then add the map command (SRCH_MAP it shall be known as): |map search="search index=ad_summary username=$user$ type_logon=ad_last_logon". This command will take each of the three results above, and search in my ad_summary index for a user logon event. The results are returned as a table and look like this(ish):

_time	computername	computertime	username	usertime
10/12/12 8:31:35.00 AM	ADMIN28-H$	10/12/2012 08:25:42	user1	10/12/2012 08:31:35 AM

What this is doing, putting it together, is finding who sudo'd and then tracing back to the computer and time they logged on to prior to the sudo event.

EDIT:
Here is the complete search:

sourcetype=syslog sudo|stats count by user host|map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

rtadams89 · ‎05-23-2014

What is the advantage of this over using a "join" command:

sourcetype=syslog sudo | stats count by user host | join user [ search index=ad_summary type_logon=ad_last_logon username=* | rename username AS user]

manish_singh_77 · ‎06-21-2018

Hi Alacercogitatus,

Can we use map command to pass variable value in rest end point?

koenV · ‎06-22-2018

Hi @manish_singh_777,

I'm not sure what you mean but I think you might want to take a look at working with Splunk using XML and the APIs?

koenV · ‎05-01-2018

There is not necessarily an advantage. Especially for large 'outer' searches the map command is very slow (and so is join - your example could also be done using stats only).
However, keep in mind that the map function returns only the results from the search specified in the map command, whereas a join will return results from both searches.

Any example for MAP command

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)