Solved: Pass a value to a map subsearch and assign it to a...

romedome · ‎08-11-2015

How can I take a value from the base search an pass it to a map search like so:

<base search> | map "search index=a | eval Oldtime=$_time$"

I can use base search values to filter and compare in the map search, but I can use them to assign values 😞 Any thoughts?

somesoni2 · ‎08-11-2015

Try putting the values in double quotes? Also, try to rename the token to some general name and pass to subsearch (sometime that fixes the issue)

<base search> | eval Timestamp=_time| map "search index=a | eval Oldtime=\"$Timestamp$\""

View solution in original post

steveyz · ‎08-11-2015

the following worked for me:

| stats count | map search="search index=_internal | head 10 | eval x=$count$" | table x

You should see that you'll end up with 10 events all with x=0.

romedome · ‎08-11-2015

For some reason it was not working for me until I used x=\"$count$\"

steveyz · ‎08-11-2015

oh, you need to quote it for eval if it's supposed to be a string literal. Or else it will treat it as a field name or a number, which is why $count$ without the quote works if the count is just a number.

somesoni2 · ‎08-11-2015

Try putting the values in double quotes? Also, try to rename the token to some general name and pass to subsearch (sometime that fixes the issue)

<base search> | eval Timestamp=_time| map "search index=a | eval Oldtime=\"$Timestamp$\""

romedome · ‎08-11-2015

Wow! the quotes worked! Can you tell me why they're necessary?

I restructured the search backwards. I now have the search that generates the most information as the map search. That way I'm minimizing the amount of fields I need to pass along to the map search

Pass a value to a map subsearch and assign it to another field

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!