Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass values from previous search into map search

rlippincott
Explorer
‎10-10-2019 10:18 AM

Hello all, my search is below:

index=tcxelevate_webpos registerType=kioskBridge registerNbr=* countryCode=US tagName=CLIENT_INITIALIZATION enterpriseId=prod storeId=* storeId!=4184 AND storeId!=0001 
| eval regNbr=registerNbr | eval storeNbr=storeId 
| spath output="Store" "storeId" 
| spath output="Country" "countryCode" 
| spath output="Lane" "registerNbr" 
| spath output="Time" "timestamp" 
| spath output="Reloads" "tagName" 
| localize timebefore=5m 
| map search="search index=tcxelevate_webpos registerType=kioskBridge registerNbr= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$starttime$ latest=$endtime$" 
| spath output="Command" "command" 
| eval request=case(true(), "debug") 
| eval response=case(true(), "debug") 
| stats values(Country) as Country, latest(Command) as Command, latest(request) as Request, latest(response) as Response, values(Reloads) as Reloads by Store, Lane, Time 
| table Time, Reloads, Command, Request, Response, Store, Lane, Country

As you can see. I am trying to strip the register number from the first search into spath

From there, I am trying to do a map search on all events that are pulled from the main search.

In the map search. I try to set registerNbr equal to the variable I made with the spath.

I am just trying to take the value for registerNbr from the first search, and store it. and refer to it later in my map search to narrow down the search.

Any assistance?

P.S. ignore my eval's with case statements. I haven't filled those out yet, but have working code that I will put in there after I am done testing to see if I can get the map search to work as I want it to.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-10-2019 01:50 PM

To refer to a field within map, put the name of the field inside $. Tokens passed into the search are referred to using double $.

... | map search="search index=tcxelevate_webpos registerType=kioskBridge $registerNbr$= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$$starttime$$ latest=$$endtime$$"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-10-2019 01:50 PM

To refer to a field within map, put the name of the field inside $. Tokens passed into the search are referred to using double $.

... | map search="search index=tcxelevate_webpos registerType=kioskBridge $registerNbr$= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$$starttime$$ latest=$$endtime$$"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

dmarling
Builder
‎10-10-2019 01:50 PM

Do you mind editing your question and re-posting your query, but using the code sample box so the formatting is protected? Your query is getting roughed up a bit due to some escaping happening unintentionally with astericks. I believe this is your query but feel free to correct me:

index=tcxelevate_webpos registerType=kioskBridge registerNbr=* countryCode=US tagName=CLIENT_INITIALIZATION enterpriseId=prod storeId=* storeId!=4184 AND storeId!=0001 
| eval regNbr=registerNbr 
| eval storeNbr=storeId 
| spath output="Store" "storeId" 
| spath output="Country" "countryCode" 
| spath output="Lane" "registerNbr" 
| spath output="Time" "timestamp" 
| spath output="Reloads" "tagName" 
| localize timebefore=5m 
| map search="search index=tcxelevate_webpos registerType=kioskBridge registerNbr= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$starttime$ latest=$endtime$" 
| spath output="Command" "command" 
| eval request=case(true(), "debug") 
| eval response=case(true(), "debug") 
| stats values(Country) as Country, latest(Command) as Command, latest(request) as Request, latest(response) as Response, values(Reloads) as Reloads by Store, Lane, Time 
| table Time, Reloads, Command, Request, Response, Store, Lane, Country
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...