Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

map commands

abhayneilam
Contributor
‎06-26-2015 03:53 PM

Hi,

I am searching for source, sourcetype and indexname for a kind of events in the logs.

from "_internal" index I am getting "data_source" and "data_sourcetype" but not the "indexname" where exactly this "data_source" resides.

that's why I am trying to use "map" command to get the "indexname" from the "metrics_log" ( We are matching "data_source" from the "_internal" with the "Series" from the "metrics_log" ) but the problem is I am geting only the information of "indexname" not the data_source and data_sourcetype becuase in my "map" command I have used

index="_internal" ..... data_source .... | map search="search index=* sourcetype=metrics_log series=$data_source$"

I am not getting any field of "_internal" index in the output like "data_source" and "data_sourcetype" , but only getting "indexname" field from "metrics_log"

I want to get all the fields from _internal index as well as "metrics_log" sourcetype for all the matching "source file" . Please help !!

Cheers,

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎07-17-2015 10:01 PM

Based on your clarification:

I have an index=AAA in which I have two fields "field_one" and "field_two".
I have another index=BBB in which I have another two fields "field_three" and "field_four".
If I use the below :
    index=AAA field_one="somevalue" | map search="search index=BBB "somestring" field_three=$field_one$ "
in the above scenario, if any of the value from field_one exists in index=BBB,
then "field_three" and "field_four" will show up for that particular matched value.
But I want for all the matched value, I should be able to see all the fields "field_one" , field_two" , "field_three" and "field_four".
I want all the fields from index=AAA and index=BBB should show up for the matched values.

This should do it

(index=AAA field_one="somevalue") OR (index=BBB "somestring") | eval joiner=if(index=AAA,field_one,field_three) | stats values(*) AS * BY joiner | fields - joiner
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎06-27-2015 09:29 AM

I think there is something that needs to be said here ... the map command should be considered a "choice of last resort, when all other avenues have been exhausted, and there is NO better way of achieving the desired goal". There are far too many cases I see on answers where people start out with map because the idea of "run this search, then iterate over its results to run other searcher" is an idiom they understand. As your Splunk environment grows, the cost of dispatching searches grows. Using the map command in this way is almost a guarantee that your search performance gets worse as your environment grows.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-27-2015 01:27 AM

Consider this map-less version for working on your Splunk-internal-events example:

| tstats count where (index=* OR index=_*) [search index=_internal sourcetype=splunkd data_source data_source=* | fields data_host data_source data_sourcetype | rename data_* as * | dedup host source sourcetype] by index host sourcetype source

There's also this generic stats-based search using the placeholder names from your clarification:

  (index=AAA field_one="somevalue") OR (index=BBB "something")
| rename eval field_one = coalesce(field_one, field_three)
| stats first(field_one) as field_one first(field_two) as field_two first(field_four) as field_four by field_one
Reply

woodcock
Esteemed Legend
‎06-26-2015 04:28 PM

It turns out that index=* does NOT include index=_* so if you need ALL indices, you have to use index=* OR index=_* like this:

index="_internal" ..... data_source .... | map search="search (index=* OR index=_*) sourcetype=metrics_log series=$data_source$"
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎06-27-2015 01:28 AM

This won't answer the actual question - how to get both the index from Metrics and the sourcetype from the other source in the results.

Reply

abhayneilam
Contributor
‎06-27-2015 06:02 AM

Lemme explain my requirement fully once more !!

I have an index=AAA in which I have two fields "field_one" and "field_two" now
I have another index=BBB in which I have another two fields "field_three" and "field_four"

If I use the below :

index=AAA field_one="somevalue" | map search="search index=BBB "somestring" field_three=$field_one$ "

in the above senario, if any of the value from field_one exists in index=BBB, then "field_three" and "field_four" will show up for that particular matched value.

But I want for all the matched value, I should be able to see all the fields "field_one" , field_two" , field_three and field_four. I want all the fields from index=AAA and index=BBB should show up for the matched values.

Cheers,

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...