I have a sourcetype called sourcetype1 that contains the following three events:
foo=a foo=b foo=c
I then have a sourcetype called sourcetype2 that contains the following 4 events:
bar=x, othervalue=4 bar=y, othervalue=3 bar=z, othervalue=2 bar=a, othervalue=1
If I do the simple search
index=myindex sourcetype=sourcetype1 | fields foo
I get back the expected 3 events: a, b, c.
I then try to use the map command
index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=$foo$"
and I get the error
[SimpleResultsTable module] Server reported HTTP status=400 while getting mode=results Error in 'map' command: Unable to run query 'search index=index2 bar=a'.
which makes me sad.
To further my confusion if I try a search just to get some different results
index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=x"
I end up the results
a b c
which acts as if the subsearch never occurred. Any thoughts?
Is all the search and indexing on one Splunk instance, or do you have multiple indexers and/or a separate search head? Until 4.2, the
map command will not issue searches in distributed mode. Also, I believe that unless you specify otherwise, the
maxsearches option to the
map command defaults to 1, so you should set that higher.
Also, I'm assuming you're replacing real terms with
b etc., but the error you get is usually because the search you've constructed is syntactically invalid. Try perhaps putting quotes around the argument:
... | map search="search index=index2 bar=\"$foo$\""
I second the claim that this doesn't work. I only get the results from the original search, which is annoying as otherwise this would be a very useful command.
The only time I have ever see this actually work as claimed is when invoking after a "| metadata" search, and then using map to iterate over hosts as suggested here: http://answers.splunk.com/questions/8175/iterate-a-search-over-a-collection-of-variables
Are the results that come back from a metadata search different from normal events?
I guess I will log a case about it.
Good call on the quotes around $foo$. Single quotes work as well. I also added maxsearches. So that fixes the error I was getting. Running the fixed syntax still yields me with the 3 results that the initial search produces. Its as if the map command isn't being run at all.
Right now I'm running this command against a single index, multiple sourcetypes (which differs from above, I'll update to reflect), on a single Splunk instance.