map question

brdr · ‎06-25-2018

I'm getting some strange results with the map command. This is what I need to do... in one index (1st search) I have 'action' , 'host', and '_time' field. The other search (2nd search) is used in the map using fields 'user' and '_time'. I need to extract the field 'user' where the '_time' fields are very close together (few minutes) in both indexes. My result when I run the search I get duplicate rows and more events. Thanks for your help.

|index=myindex1 
| eval my_earliest=_time
| eval my_latest=relative_time(_time, "+3m")
| sort _time
| table action host my_earliest my_latest
| map search="search index=myindex2 (_time > my_earliest AND _time < my_latest) | dedup user | sort _time |eval action=$action$, host=$host$" maxsearches=500
| table user action host _time

brdr · ‎06-25-2018

i forgot the '$' around the my earliest and latest variables in the search.. doh.

map question

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!

Join the Conversation

map question

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

SplunkTrust Application Period is Officially OPEN!