Solved: Why is the map command in my search no longer retu...

kallisrayar1986 · ‎08-31-2016

Hi,

I would like to get the values of an event that matches a median value of that event. My search is something like this:

index = "index" test_id = "test_id" Scenario = "scenario" | stats median(field) as "SomeName" | map [search index = "index" test_id = "test_id" Scenario = "scenario" AND field = $SomeName$ | stats values by test_id ]

it used to work before, but for some reason it is not now. Please help.

sundareshr · ‎08-31-2016

You may be able to get your results using just a subsearch, like this

index = "index" test_id = "test_id" Scenario = "scenario"  [search index = "index" test_id = "test_id" Scenario = "scenario" | stats median(field) as field]   | stats values by test_id

OR avoid the sub-search with this

index = "index" test_id = "test_id" Scenario = "scenario"  | eventstats median(field) as med | where field=med | stats values by test_id

View solution in original post

sundareshr · ‎08-31-2016

You may be able to get your results using just a subsearch, like this

index = "index" test_id = "test_id" Scenario = "scenario"  [search index = "index" test_id = "test_id" Scenario = "scenario" | stats median(field) as field]   | stats values by test_id

OR avoid the sub-search with this

index = "index" test_id = "test_id" Scenario = "scenario"  | eventstats median(field) as med | where field=med | stats values by test_id

kallisrayar1986 · ‎09-01-2016

thank you Sundareshr, it worked.

Why is the map command in my search no longer returning results?

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Why is the map command in my search no longer returning results?

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!