Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Pass a value to a map subsearch and assign it to another field

romedome
Path Finder
‎08-11-2015 10:34 AM

How can I take a value from the base search an pass it to a map search like so:

<base search> | map "search index=a | eval Oldtime=$_time$"

I can use base search values to filter and compare in the map search, but I can use them to assign values 😞 Any thoughts?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-11-2015 10:45 AM

Try putting the values in double quotes? Also, try to rename the token to some general name and pass to subsearch (sometime that fixes the issue)

<base search> | eval Timestamp=_time| map "search index=a | eval Oldtime=\"$Timestamp$\""

View solution in original post

Reply
Solved! Jump to solution

steveyz
Splunk Employee
Splunk Employee
‎08-11-2015 11:46 AM

the following worked for me:

| stats count | map search="search index=_internal | head 10 | eval x=$count$" | table x

You should see that you'll end up with 10 events all with x=0.

Reply
Solved! Jump to solution

romedome
Path Finder
‎08-11-2015 03:16 PM

For some reason it was not working for me until I used x=\"$count$\"

0 Karma
Reply
Solved! Jump to solution

steveyz
Splunk Employee
Splunk Employee
‎08-11-2015 03:19 PM

oh, you need to quote it for eval if it's supposed to be a string literal. Or else it will treat it as a field name or a number, which is why $count$ without the quote works if the count is just a number.

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-11-2015 10:45 AM

Try putting the values in double quotes? Also, try to rename the token to some general name and pass to subsearch (sometime that fixes the issue)

<base search> | eval Timestamp=_time| map "search index=a | eval Oldtime=\"$Timestamp$\""
Reply
Solved! Jump to solution

romedome
Path Finder
‎08-11-2015 03:15 PM

Wow! the quotes worked! Can you tell me why they're necessary?

I restructured the search backwards. I now have the search that generates the most information as the map search. That way I'm minimizing the amount of fields I need to pass along to the map search

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...