Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: passing previous result fields to localize and...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Say I have a search like this, trying to find all the events that occurred on hosts around the some_text event:
index=_internal host=host1 OR host=host2 source=splunkd.log some_text | localize | map search="search index=_internal"
How do I tell localize and map to only search over the hosts that matched in the original search? I tried adding host=$host$ to the map search, as the documentation indicates, but I get the error that it did not find value for required attribute host. Will the syntax change if I use it in a dashboard?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to do this by just recreating the behavior of localize function manually
| eval eventTimeMinusX=_time-60
| eval eventTimePlusX=_time+60
| map search="search sourcetype=WinEventLog:Application host=$host$ _time>=$eventTimeMinusX$ _time<=$eventTimePlusX$" maxsearches=100
| sort host, _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to do this by just recreating the behavior of localize function manually
| eval eventTimeMinusX=_time-60
| eval eventTimePlusX=_time+60
| map search="search sourcetype=WinEventLog:Application host=$host$ _time>=$eventTimeMinusX$ _time<=$eventTimePlusX$" maxsearches=100
| sort host, _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi cphair
I think, the problem ist that you loose the information from your base search when you pipe to localize so there is no host field left for the map command. If you already know which hosts you are looking for in the base search you can reuse them in the map search.
I used sourcetype instead of host in this example:
index=_internal source=*splunkd.log (sourcetype=splunkd OR sourcetype=scheduler) | localize | map search="search index=_internal (sourcetype=splunkd OR sourcetype=scheduler) starttimeu=$starttime$ endtimeu=$endtime$"
You have to decide whether you want to loop over a list of hosts or a list of time ranges with the map command. But maybe I misunderstood your question
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, I never did. It wasn't a hard requirement, so I let it go.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@cphair: Did you fid any workarounds for this or another apporach? I have a similar issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's the problem, though--I don't know which hosts were found by the base search. It may be that only one host matched, in which case I'm not interested in any events around that time from the other host. So localize can't handle that?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
