Splunk Search

How to retain fields from base search to use after a map command?

att35
Builder

We have a search where one of the fields from base search is passed onto a REST API using map command. 

 

<Base Search> | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by user, src_ip, activity, riskLevel

|map maxsearches=100 search="| rest splunk_server=local /services/App/.../ ioc="$src_ip$"

 

 

But after this search ,only the results returned by the REST API are shown. How can I include some of the fields from original search, e.g. user, activity so that they can later be used in a table?

Tried adding the field using eval right before the REST call but that doesn't seem to be working. 

 

eval activity=\"$activity$\" | rest

 

 

Also tried using "multireport" but only the first search is considered. 

 

| multireport  [ table user, src_ip, activity, riskLevel]
[| map map maxsearches=100 search="| rest splunk_server=local /services/App/.../ ioc="$src_ip$"]

 

 

Is there a way to achieve this? API call itself returns a set of fields which I am extracting using spath but also want to keep some of the original ones for added context.

Thanks,

~Abhi

Labels (2)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The first command of the map search needs to be a generating command, such as rest. Try adding the eval afterwards.

<Base Search> | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by user, src_ip, activity, riskLevel

|map maxsearches=100 search="| rest splunk_server=local /services/App/.../ ioc=\"$src_ip$\"
| eval activity=\"$activity$\""

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

The first command of the map search needs to be a generating command, such as rest. Try adding the eval afterwards.

<Base Search> | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by user, src_ip, activity, riskLevel

|map maxsearches=100 search="| rest splunk_server=local /services/App/.../ ioc=\"$src_ip$\"
| eval activity=\"$activity$\""

att35
Builder

Thanks @ITWhisperer 

This worked.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...