Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

map command works but need more fields

mwdbhyat
Builder
‎10-12-2018 12:02 AM

Hi Guys,

I have a search that is working fine.. However the issue is that using the map command removes all other fields from the results - in this case only returning dest_ip. I would like to include other fields like src_ip + anyotherrelevant field data that I may want. Is there a way to return more values and just add them to the results?

Here is my search:

index=bla searchname="searchname*"
| search NOT [| inputlookup mylookup | eval dest_ip=CIDR | rename dest_ip as dest_ip| fields + dest_ip]
| search NOT [| inputlookup mylookup2 | rename Domain as url | fields + url]
| search NOT [| inputlookup mylookup3 | rename Domain as url | fields + url]
| dedup dest_ip
| join domain type=left [ search index=my_corr_search searchname="correlation_search" earliest=-1d latest=now]
| search NOT SearchValue=*
| map search="securitylookup engine=virustotal ip=$dest_ip$" maxsearches=80
| mvexpand SearchType
| eval dest_ip=SearchValue
| eval ThreatValue=8
| eval product_category="Virustotal"
| eval Tag="Malware"
| table src_ip, dest_ip, url, domain, SearchValue, Categories, Webutation, Detected_URLs, undetected_referrer_samples, Tag, domain, detected_downloaded_samples, ThreatValue, product_category

Any thoughts?

Thanks!

Tags (2)
0 Karma
Reply

yutaka1005
Builder
‎10-12-2018 01:21 AM

Since there is no data, I can not imagine much what you want to realize, but map can only pass the fields returned by the search defined in map to subsequent processing.

Therefore, if you want to pass some fields to the processing after map, why do not you define it with eval in the search of map like below?

map search="...| eval src_ip=\"$src_ip$\"..." maxsearches=80

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...