Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

map question

brdr
Contributor
‎06-25-2018 12:04 PM

I'm getting some strange results with the map command. This is what I need to do... in one index (1st search) I have 'action' , 'host', and '_time' field. The other search (2nd search) is used in the map using fields 'user' and '_time'. I need to extract the field 'user' where the '_time' fields are very close together (few minutes) in both indexes. My result when I run the search I get duplicate rows and more events. Thanks for your help.

|index=myindex1 
| eval my_earliest=_time
| eval my_latest=relative_time(_time, "+3m")
| sort _time
| table action host my_earliest my_latest
| map search="search index=myindex2 (_time > my_earliest AND _time < my_latest) | dedup user | sort _time |eval action=$action$, host=$host$" maxsearches=500
| table user action host _time
Tags (1)
0 Karma
Reply

brdr
Contributor
‎06-25-2018 01:45 PM

i forgot the '$' around the my earliest and latest variables in the search.. doh.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Related Topics
map search question
Get Updates on the Splunk Community!

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...