Splunk Search

map commands

Contributor

Hi,

I am searching for source, sourcetype and indexname for a kind of events in the logs.

from "internal" index I am getting "datasource" and "datasourcetype" but not the "indexname" where exactly this "datasource" resides.

that's why I am trying to use "map" command to get the "indexname" from the "metricslog" ( We are matching "datasource" from the "internal" with the "Series" from the "metricslog" ) but the problem is I am geting only the information of "indexname" not the datasource and datasourcetype becuase in my "map" command I have used

index="internal" ..... datasource .... | map search="search index=* sourcetype=metricslog series=$datasource$"

I am not getting any field of "internal" index in the output like "datasource" and "datasourcetype" , but only getting "indexname" field from "metricslog"

I want to get all the fields from internal index as well as "metricslog" sourcetype for all the matching "source file" . Please help !!

Cheers,

Tags (2)
0 Karma

Esteemed Legend

Based on your clarification:

I have an index=AAA in which I have two fields "field_one" and "field_two".
I have another index=BBB in which I have another two fields "field_three" and "field_four".
If I use the below :
    index=AAA field_one="somevalue" | map search="search index=BBB "somestring" field_three=$field_one$ "
in the above scenario, if any of the value from field_one exists in index=BBB,
then "field_three" and "field_four" will show up for that particular matched value.
But I want for all the matched value, I should be able to see all the fields "field_one" , field_two" , "field_three" and "field_four".
I want all the fields from index=AAA and index=BBB should show up for the matched values.

This should do it

(index=AAA field_one="somevalue") OR (index=BBB "somestring") | eval joiner=if(index=AAA,field_one,field_three) | stats values(*) AS * BY joiner | fields - joiner
0 Karma

SplunkTrust
SplunkTrust

I think there is something that needs to be said here ... the map command should be considered a "choice of last resort, when all other avenues have been exhausted, and there is NO better way of achieving the desired goal". There are far too many cases I see on answers where people start out with map because the idea of "run this search, then iterate over its results to run other searcher" is an idiom they understand. As your Splunk environment grows, the cost of dispatching searches grows. Using the map command in this way is almost a guarantee that your search performance gets worse as your environment grows.

SplunkTrust
SplunkTrust

Consider this map-less version for working on your Splunk-internal-events example:

| tstats count where (index=* OR index=_*) [search index=_internal sourcetype=splunkd data_source data_source=* | fields data_host data_source data_sourcetype | rename data_* as * | dedup host source sourcetype] by index host sourcetype source

There's also this generic stats-based search using the placeholder names from your clarification:

  (index=AAA field_one="somevalue") OR (index=BBB "something")
| rename eval field_one = coalesce(field_one, field_three)
| stats first(field_one) as field_one first(field_two) as field_two first(field_four) as field_four by field_one

Esteemed Legend

It turns out that index=* does NOT include index=_* so if you need ALL indices, you have to use index=* OR index=_* like this:

index="_internal" ..... data_source .... | map search="search (index=* OR index=_*) sourcetype=metrics_log series=$data_source$"
0 Karma

SplunkTrust
SplunkTrust

This won't answer the actual question - how to get both the index from Metrics and the sourcetype from the other source in the results.

Contributor

Lemme explain my requirement fully once more !!

I have an index=AAA in which I have two fields "fieldone" and "fieldtwo" now
I have another index=BBB in which I have another two fields "fieldthree" and "fieldfour"

If I use the below :

index=AAA fieldone="somevalue" | map search="search index=BBB "somestring" fieldthree=$field_one$ "

in the above senario, if any of the value from fieldone exists in index=BBB, then "fieldthree" and "field_four" will show up for that particular matched value.

But I want for all the matched value, I should be able to see all the fields "fieldone" , fieldtwo" , fieldthree and fieldfour. I want all the fields from index=AAA and index=BBB should show up for the matched values.

Cheers,