Splunk Search

map value not passing

himanshu_mps
Loves-to-Learn Lots

Hi,

I have a query which returns around 4000 results and I want to run map query for all that 4000 results. This is the query but it doesn't return any results. Individual query are working fine.

index=xxxxx_xxxxx2_idx ns=yyy-yyyy xxxx-t1-* totalDuration 
| spath input=message output=overallTimeTaken path=totalDuration 
| where overallTimeTaken > 226 
| spath input=message output=yyy-yyyy-correlation-id-var path=yyy-yyyy-correlation-id 
| map search="search index=xxxxx_xxxxx2_idx ns=xxxx-api-v4 app_name=xxxxarngs-* xxxxRequestLoggingHandlerImpl $yyy-yyyy-correlation-id-var$ 
| head 1
| eval arngServerTimeTaken=mvindex(split(_raw," "),-2) 
| eval id=mvindex(split(_raw," "),-8) 
| stats id, max(arngServerTimeTaken) as arngServerTimeTaken 
| appendcols 
    [ search index=xxxxx_xxxxx2_idx ns=xxxx-api-v4 app_name=xxxxtranslation-* xxxxRequestLoggingHandlerImpl $yyy-yyyy-correlation-id-var$
	| head 1
    | eval translationServerTimeTaken=mvindex(split(_raw," "),-2) 
    | stats max(translationServerTimeTaken) as translationServerTimeTaken]" maxsearches=0 
| table id, arngServerTimeTaken

 

The yyy-yyyy-correlation-id-var will be around 4000 from the first query which is going as an input to map. I need to make it work from map/multisearch as I have 10 other columns that I want to add to the result from other search queries.

Labels (1)
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!