map value not passing

himanshu_mps · ‎08-04-2021

Hi,

I have a query which returns around 4000 results and I want to run map query for all that 4000 results. This is the query but it doesn't return any results. Individual query are working fine.

index=xxxxx_xxxxx2_idx ns=yyy-yyyy xxxx-t1-* totalDuration 
| spath input=message output=overallTimeTaken path=totalDuration 
| where overallTimeTaken > 226 
| spath input=message output=yyy-yyyy-correlation-id-var path=yyy-yyyy-correlation-id 
| map search="search index=xxxxx_xxxxx2_idx ns=xxxx-api-v4 app_name=xxxxarngs-* xxxxRequestLoggingHandlerImpl $yyy-yyyy-correlation-id-var$ 
| head 1
| eval arngServerTimeTaken=mvindex(split(_raw," "),-2) 
| eval id=mvindex(split(_raw," "),-8) 
| stats id, max(arngServerTimeTaken) as arngServerTimeTaken 
| appendcols 
    [ search index=xxxxx_xxxxx2_idx ns=xxxx-api-v4 app_name=xxxxtranslation-* xxxxRequestLoggingHandlerImpl $yyy-yyyy-correlation-id-var$
	| head 1
    | eval translationServerTimeTaken=mvindex(split(_raw," "),-2) 
    | stats max(translationServerTimeTaken) as translationServerTimeTaken]" maxsearches=0 
| table id, arngServerTimeTaken

The yyy-yyyy-correlation-id-var will be around 4000 from the first query which is going as an input to map. I need to make it work from map/multisearch as I have 10 other columns that I want to add to the result from other search queries.

map value not passing

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Are you a member of the Splunk Community?

map value not passing

Splunk Answers Content Calendar, June Edition

What You Read The Most: Splunk Lantern’s Most Popular Articles!

See your relevant APM services, dashboards, and alerts in one place with the updated ...