- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a search where one of the fields from base search is passed onto a REST API using map command.
<Base Search> | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by user, src_ip, activity, riskLevel
|map maxsearches=100 search="| rest splunk_server=local /services/App/.../ ioc="$src_ip$"
But after this search ,only the results returned by the REST API are shown. How can I include some of the fields from original search, e.g. user, activity so that they can later be used in a table?
Tried adding the field using eval right before the REST call but that doesn't seem to be working.
eval activity=\"$activity$\" | rest
Also tried using "multireport" but only the first search is considered.
| multireport [ table user, src_ip, activity, riskLevel]
[| map map maxsearches=100 search="| rest splunk_server=local /services/App/.../ ioc="$src_ip$"]
Is there a way to achieve this? API call itself returns a set of fields which I am extracting using spath but also want to keep some of the original ones for added context.
Thanks,
~Abhi
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
The first command of the map search needs to be a generating command, such as rest. Try adding the eval afterwards.
<Base Search> | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by user, src_ip, activity, riskLevel
|map maxsearches=100 search="| rest splunk_server=local /services/App/.../ ioc=\"$src_ip$\"
| eval activity=\"$activity$\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
The first command of the map search needs to be a generating command, such as rest. Try adding the eval afterwards.
<Base Search> | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by user, src_ip, activity, riskLevel
|map maxsearches=100 search="| rest splunk_server=local /services/App/.../ ioc=\"$src_ip$\"
| eval activity=\"$activity$\""
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @ITWhisperer
This worked.
![](/skins/images/396DDBEEAC295EB5FEC41FF128E8AC0A/responsive_peak/images/icon_anonymous_message.png)