Splunk Search

How to use a field outside of map as map's search query?

yaharga
Path Finder

I have a field called query that's like so:

(index="abc" OR index="def") (host="ghi" OR host="jkl") (sourcetype="mno" sourcetype="pqr") (source="stu" source="vwx") "*yz*"

I am trying to leverage it in a map search:

 <search that gets me the above field> | map search="search $query$"

 It doesn't seem to work. How do I go about doing it if another way is possible?

 

Just to clarify, map doesn't have to be the only solution; I simply need a solution to use the query field to perform a search per row (in addition to stats count) to find the number of results returned for each search.

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

 <search that gets me the above field> | map search="search index=$index$ sourcetype=$sourcetype$ source=$source$ host=$host$"

yaharga
Path Finder

What should $index$ be to work with your solution? There are a variable number of indexes:

 

map search="search index=$index$"

 

$index$ can be changed using eval to whatever I want, so:
  • index="abc" OR index="def"
  • abc,def
  • "abc","def"
  • abc
    def

I can't do

map search="search (index=$indexA$ OR index=$indexB$)"

because $index$ is a multivalue field that's variable in length.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The map command works on each event in the pipeline i.e. the events returned by the search. Each event will have come from an index, a sourcetype, a source and a host. Each event could have different sets or the same values for each. The search in map as I showed should use the values for the event it is processing.

yaharga
Path Finder

The results from the first search are not events. They're from makeresults and eval. I made a table for my desired indexes, hosts, sourcetypes, and sources.

0 Karma

yaharga
Path Finder
| makeresults
| eval query="search (index=\"abc\" OR index=\"def\") (host=\"ghi\" OR host=\"jkl\") (sourcetype=\"mno\" sourcetype=\"pqr\") (source=\"stu\" source=\"vwx\") \"*yz*\""
| map search="| makeresults | map search="$$$$query$$$$

Should the above work? I'm using it in a dashboard form.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...