Hello,
I have created a search using the map command to retrieve fields from another source. Both searches run seperatly produce expected results, but when I put them together the columns from the original search (not he map) stay empty. Here is my complete search :
index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=$customer_IP1$ | stats values($customer_IP1$) as IP, values($status_final$) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"
I have also tried this :
index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final | map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=$customer_IP1$ | stats first(reg_nr) as reg_nr | table reg_nr" | fields customer_IP1, status_final, reg_nr
I tried many more variations, e.g. using the subsearch notation etc, but they all return empty columns for customer_IP1 and status_final (or IP and status in the first statement). The results for reg_nr look good.
Thanks for any help
@gesa_behrens,
As mentioned in the docs , the map command is a looping operator that runs a search repeatedly for each input event or result. i.e. a search with a string like $count$, for example, will replace the variable with the value of the count field in the input search result.
Lets take result of the below search as an example,
index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final
----Result----
1.1.1.1 400
2.2.2.2 400
Now in the map command, wherever the variable is mentioned, it will be replaced with the value of that field and in our case customer_IP1
& status_final
. For each value, the map search will be executed , i.e.
| map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=1.1.1.1 | stats values(1.1.1.1) as IP, values(400) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"
values(1.1.1.1) does not yield a value since 1.1.1.1 its not a filed and similarly values(400).
You may check the search.log in the job inspector to verify this.
@gesa_behrens,
As mentioned in the docs , the map command is a looping operator that runs a search repeatedly for each input event or result. i.e. a search with a string like $count$, for example, will replace the variable with the value of the count field in the input search result.
Lets take result of the below search as an example,
index=main sourcetype="access_log" status_final=400 | stats count by customer_IP, status_final | rename customer_IP as customer_IP1 | table customer_IP1, status_final
----Result----
1.1.1.1 400
2.2.2.2 400
Now in the map command, wherever the variable is mentioned, it will be replaced with the value of that field and in our case customer_IP1
& status_final
. For each value, the map search will be executed , i.e.
| map maxsearches=100 search="search index=main sourcetype=logdb customer_IP=1.1.1.1 | stats values(1.1.1.1) as IP, values(400) as status, first(reg_nr) as reg_nr | table IP, status, reg_nr"
values(1.1.1.1) does not yield a value since 1.1.1.1 its not a filed and similarly values(400).
You may check the search.log in the job inspector to verify this.
Thanks renjith.nair for the quick answer.
That makes sense. I see now why this statement cannot work.
Can you please have a look at my second statement too? This is very similar to something I found in another splunk answer, but does not work either.
The main question is : How do I get the values (customer_IP and status_final) from the first search into the result table at the end.
Try a different approach.
index=main (sourcetype="access_log" OR sourcetype="logdb")
|eventstats dc(sourcetype) as c by customer_IP
|where c > 1
|stats values(status_final) as status,first(reg_nr) as reg_nr by customer_IP
Test it with your data and see it works.
This one actually works, thanks !
Does this mean that using 'map' I cannot enrich a table form the first search?
From the documentation I thought this was exactly the purpose of 'map' .
But this is maybe not the right place to discuss this.
Thanks for your help!