×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Kimiko
New Member
Member since: ‎11-26-2024
‎12-09-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎11-26-2024
View All

Re: Looking for feedback on SPL design using map c...

by in Splunk Search
‎12-09-2025 10:15 PM
‎12-09-2025 10:15 PM
Thank you for your feedback! Let me clarify the purpose of this SPL: Goal: The lookup CSV contains about 100 rows, each defining one macro. Each macro includes a predefined SPL search. When the alert runs, it needs to execute all these macros and collect the results. Why map is used: To run multiple macros in a single scheduled search. Each row from the lookup expands into a macro call, and the results are combined. Why dedup is used: If the same error log occurs repeatedly within the last 5 minutes (configured in the alert schedule), we want to consolidate those into one alert to avoid sending multiple identical emails. My question: Are there best practices or recommended alternatives for using map in scheduled searches? (Especially to mitigate the risk of excessive search executions.) Could you point out any areas in the overall design that might not follow Splunk best practices or could be improved? For example, potential performance issues with large data sets or long-term operation, whether the use of map is appropriate, and if this approach aligns with Splunk’s recommended methods. Any advice would be greatly appreciated! ... View more

Looking for feedback on SPL design using map comma...

by in Splunk Search
‎12-09-2025 09:17 PM
‎12-09-2025 09:17 PM
Hi Splunk Community, I have created the following SPL for scheduled alerts. Some parts are masked for confidentiality, but the structure is as follows: | inputlookup my_lookup_table | eval chk_ignore_from=if(Ignore_From!="", strptime(Ignore_From,"%Y/%m/%d %H:%M:%S"), null()) | eval chk_ignore_to =if(Ignore_To!="", strptime(Ignore_To,"%Y/%m/%d %H:%M:%S"), null()) | where isnull(chk_ignore_from) OR isnull(chk_ignore_to) OR (now() < chk_ignore_from OR now() >= chk_ignore_to) | where isnotnull(Macro) AND Macro!="" AND isnotnull(Alert_Mail_Send_To) AND Alert_Mail_Send_To!="" AND isnotnull(Alert_Mail_Title) AND Alert_Mail_Title!="" AND isnotnull(Alert_Mail_Body) AND Alert_Mail_Body!="" | eval Macro=trim(Macro) | eval Macro=case(match(Macro,"^[\"'].*[\"']$"), substr(Macro,2,len(Macro)-2), true(), Macro) | map maxsearches=500 search="search `$Macro$` | fields _time _raw host | eval target_host=\"...\", Alert_Mail_Send_To=\"...\", Alert_Mail_Title=\"...\", Alert_Mail_Body=\"...\", Macro=\"$Macro$\" | fields _time _raw host Alert_Mail_Send_To Alert_Mail_Title Alert_Mail_Body Macro target_host" | dedup Alert_Mail_Body My main concern is the use of the map command. I know map can be risky because it runs multiple searches and could cause performance issues if not controlled properly. Questions: Are there best practices for using map in scheduled searches to avoid excessive search executions? Besides maxsearches, is there any recommended way to limit or safeguard map usage in Splunk Cloud? From a long-term operation perspective, do you see any potential issues with this SPL design? Any feedback or suggestions would be greatly appreciated! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-09-2025 08:44 PM