Solved: Why is the map command in my search no longer retu...

kallisrayar1986 · ‎08-31-2016

Hi,

I would like to get the values of an event that matches a median value of that event. My search is something like this:

index = "index" test_id = "test_id" Scenario = "scenario" | stats median(field) as "SomeName" | map [search index = "index" test_id = "test_id" Scenario = "scenario" AND field = $SomeName$ | stats values by test_id ]

it used to work before, but for some reason it is not now. Please help.

sundareshr · ‎08-31-2016

You may be able to get your results using just a subsearch, like this

index = "index" test_id = "test_id" Scenario = "scenario"  [search index = "index" test_id = "test_id" Scenario = "scenario" | stats median(field) as field]   | stats values by test_id

OR avoid the sub-search with this

index = "index" test_id = "test_id" Scenario = "scenario"  | eventstats median(field) as med | where field=med | stats values by test_id

View solution in original post

sundareshr · ‎08-31-2016

You may be able to get your results using just a subsearch, like this

index = "index" test_id = "test_id" Scenario = "scenario"  [search index = "index" test_id = "test_id" Scenario = "scenario" | stats median(field) as field]   | stats values by test_id

OR avoid the sub-search with this

index = "index" test_id = "test_id" Scenario = "scenario"  | eventstats median(field) as med | where field=med | stats values by test_id

kallisrayar1986 · ‎09-01-2016

thank you Sundareshr, it worked.

Why is the map command in my search no longer returning results?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...