Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- MAP command in splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team, I am having a difficulty in understanding map command. In the below commands, we need to extract work order ID from one sourcetype and using that, I need to extract sessionid corresponding to that work order ID.
sourcetype=XYZ QI-*|rex "FINISH:\sWO\sID\sis\s\s(?[^\s]+)"|stats values(WOID) as WOID|map search="search sourcetype=ABC val=$WOID$|stats values(sessionid)"
When I just using one Work order (QI-12345) I am getting the result. But when I am using QI-* (which has 6 such work order ID) , I am not able to get results. Could you please help?
Thanks ,
Arjit.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@arjitgoswami, you r base search is returning multi-value result. Try the following:
sourcetype="pega17052017n" QI-535653 OR QI-535654
| stats count by WOID
| rename WOID as val
| table val
| map search="search sourcetype=\"QI-535653\" QI-* val=$val$
| stats values(sessionid) by val" maxsearches=10
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@arjitgoswami, you r base search is returning multi-value result. Try the following:
sourcetype="pega17052017n" QI-535653 OR QI-535654
| stats count by WOID
| rename WOID as val
| table val
| map search="search sourcetype=\"QI-535653\" QI-* val=$val$
| stats values(sessionid) by val" maxsearches=10
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @niketnilay ! adding stats count by WOID helped to send single valued result to map command. It looks like only count function (and not stats(values) or table command) is sending single values data to map command
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @arjitgoswamy, since it was a duplicate thread (https://answers.splunk.com/answers/542641/map-command-in-splunk.html), where I had answered your question, I have pasted my comment here as an answer. Please accept to mark this as closed.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
sourcetype="pega17052017n" QI-535653 OR QI-535654|stats values(WOID) as val
| table val
| map maxsearches=10 search="search sourcetype=\"QI-535653\" QI-* val=$val$|stats values(sessionid) by val"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have to pass values one by one to the map search command. Try something like this -
sourcetype=pega17052017n QI-*|rex "UWCChange\sStage\sFINISH:\sWO\sID\sis\s\s(?[^\s]+)"|dedup WOID | table WOID |map search="search sourcetype=QI-535653 val=$WOID$|stats values(sessionid) "
What's New in Splunk Observability - August 2025
Introduction to Splunk AI
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
