Splunk Search

map command works but need more fields

mwdbhyat
Builder

Hi Guys,

I have a search that is working fine.. However the issue is that using the map command removes all other fields from the results - in this case only returning dest_ip. I would like to include other fields like src_ip + anyotherrelevant field data that I may want. Is there a way to return more values and just add them to the results?

Here is my search:

index=bla searchname="searchname*"
| search NOT [| inputlookup mylookup | eval dest_ip=CIDR | rename dest_ip as dest_ip| fields + dest_ip]
| search NOT [| inputlookup mylookup2 | rename Domain as url | fields + url]
| search NOT [| inputlookup mylookup3 | rename Domain as url | fields + url]
| dedup dest_ip
| join domain type=left [ search index=my_corr_search searchname="correlation_search" earliest=-1d latest=now]
| search NOT SearchValue=*
| map search="securitylookup engine=virustotal ip=$dest_ip$" maxsearches=80
| mvexpand SearchType
| eval dest_ip=SearchValue
| eval ThreatValue=8
| eval product_category="Virustotal"
| eval Tag="Malware"
| table src_ip, dest_ip, url, domain, SearchValue, Categories, Webutation, Detected_URLs, undetected_referrer_samples, Tag, domain, detected_downloaded_samples, ThreatValue, product_category

Any thoughts?

Thanks!

Tags (2)
0 Karma

yutaka1005
Builder

Since there is no data, I can not imagine much what you want to realize, but map can only pass the fields returned by the search defined in map to subsequent processing.

Therefore, if you want to pass some fields to the processing after map, why do not you define it with eval in the search of map like below?

map search="...| eval src_ip=\"$src_ip$\"..." maxsearches=80

Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...