Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a field outside of map as map's search query?

yaharga
Path Finder
‎06-03-2022 01:12 AM

I have a field called query that's like so:

(index="abc" OR index="def") (host="ghi" OR host="jkl") (sourcetype="mno" sourcetype="pqr") (source="stu" source="vwx") "*yz*"

I am trying to leverage it in a map search:

 <search that gets me the above field> | map search="search $query$"

 It doesn't seem to work. How do I go about doing it if another way is possible?

 

Just to clarify, map doesn't have to be the only solution; I simply need a solution to use the query field to perform a search per row (in addition to stats count) to find the number of results returned for each search.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-03-2022 02:12 AM

Try something like this

 <search that gets me the above field> | map search="search index=$index$ sourcetype=$sourcetype$ source=$source$ host=$host$"
Reply
Solved! Jump to solution

yaharga
Path Finder
‎06-03-2022 02:25 AM

What should $index$ be to work with your solution? There are a variable number of indexes:

 

map search="search index=$index$"

 

$index$ can be changed using eval to whatever I want, so:
  • index="abc" OR index="def"
  • abc,def
  • "abc","def"
  • abc
    def

I can't do

map search="search (index=$indexA$ OR index=$indexB$)"

because $index$ is a multivalue field that's variable in length.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-03-2022 02:33 AM

The map command works on each event in the pipeline i.e. the events returned by the search. Each event will have come from an index, a sourcetype, a source and a host. Each event could have different sets or the same values for each. The search in map as I showed should use the values for the event it is processing.

Reply
Solved! Jump to solution

yaharga
Path Finder
‎06-03-2022 02:51 AM

The results from the first search are not events. They're from makeresults and eval. I made a table for my desired indexes, hosts, sourcetypes, and sources.

0 Karma
Reply
Solved! Jump to solution

yaharga
Path Finder
‎06-03-2022 03:57 AM 
| makeresults
| eval query="search (index=\"abc\" OR index=\"def\") (host=\"ghi\" OR host=\"jkl\") (sourcetype=\"mno\" sourcetype=\"pqr\") (source=\"stu\" source=\"vwx\") \"*yz*\""
| map search="| makeresults | map search="$$$$query$$$$

Should the above work? I'm using it in a dashboard form.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...