Splunk Search

Is it possible to use map search twice?

ak9092
Path Finder

Not sure if this is possible through Splunk query but what i am trying to do is basically retrieve field value from one search and pass it into another and same is to be done twice to get desired result
Lets consider below 3 different events as _raw data

14:06:06.932 host=xyz type=xyz type_id=123
14:06:06.932 host=xyz type=abc category=foo status=success
14:30:15.124 host=xyz app=test

now 1st and second event are going into same index and sourcetype but 3rd event is in different index & sourcetype

1st and 2nd event are happening at exact same time.

Expected result is to return following field values
host type type_id category status app

Below is my search in which i am able to successfully correlate and find category and status field from second event

index=foo sourcetype=foo type=xyz
|eval earliest = _time
|eval latest = earliest + 0.001
|table host type type_id earliest latest
|map search="search index=foo sourcetype=foo type=abc host=$host$ earliest=$earliest$ latest=$latest$
|stats values(_time) as _time values(type) as type values(category) as category values(status) as status by host
|append
[search index=foo sourcetype=foo type=xyz
|stats values(type) as type values(type_id) as type_id by host]
|stats values(*) as * by host

the problem comes when i try to add another map search command to retrieve app value present in 3rd event.
so basically following mapping should provide me those result

|map search="search index=pqr sourcetype=pqr host=$host$ category=$category$ earliest=-1d latest=now|stats count by app

And then this app value is to be searched in one of the lookup files to get some details.

i have tried multiple ways to incorporate this into search but no luck.
Any help is appreciated.

Labels (3)
Tags (2)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

My gut feel says that using map is not the right approach here - it has its uses but generally you can do things differently using stats.

Looking at the first 2 events, it seems you could combined those simply with

index=foo sourcetype=foo
| fields _time host type type_id category status
| stats values(*) as * by _time host

 this assumes that a single host will have at most 1 pair of events, but I am not sure if your original version would have similar limitations.

Then I understand you are trying to get 'app' from the 3rd event to give you app related lookup data.

Your third event, from your search (sourcetype pqr), indicates it also has category, as well as app. 

If that is supposed to have category data and the correlation between the 1+2 events and the 3rd is host+category, but the event can come before or after the 1+2 events, then MAYBE this could be done with a join.

I am not a fan of join, as it has limitations, but you could add in 

| join host category [
  search index=pqr sourcetype=pqr earliest=-1d latest=now
  | stats values(app) as app by host category
]

If this search will return a small data set then a join may be an OK solution.

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...