Splunk Search

How to pass values from previous search into map search

rlippincott
Explorer

Hello all, my search is below:

index=tcxelevate_webpos registerType=kioskBridge registerNbr=* countryCode=US tagName=CLIENT_INITIALIZATION enterpriseId=prod storeId=* storeId!=4184 AND storeId!=0001 
| eval regNbr=registerNbr | eval storeNbr=storeId 
| spath output="Store" "storeId" 
| spath output="Country" "countryCode" 
| spath output="Lane" "registerNbr" 
| spath output="Time" "timestamp" 
| spath output="Reloads" "tagName" 
| localize timebefore=5m 
| map search="search index=tcxelevate_webpos registerType=kioskBridge registerNbr= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$starttime$ latest=$endtime$" 
| spath output="Command" "command" 
| eval request=case(true(), "debug") 
| eval response=case(true(), "debug") 
| stats values(Country) as Country, latest(Command) as Command, latest(request) as Request, latest(response) as Response, values(Reloads) as Reloads by Store, Lane, Time 
| table Time, Reloads, Command, Request, Response, Store, Lane, Country

As you can see. I am trying to strip the register number from the first search into spath

From there, I am trying to do a map search on all events that are pulled from the main search.

In the map search. I try to set registerNbr equal to the variable I made with the spath.

I am just trying to take the value for registerNbr from the first search, and store it. and refer to it later in my map search to narrow down the search.

Any assistance?

P.S. ignore my eval's with case statements. I haven't filled those out yet, but have working code that I will put in there after I am done testing to see if I can get the map search to work as I want it to.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

To refer to a field within map, put the name of the field inside $. Tokens passed into the search are referred to using double $.

... | map search="search index=tcxelevate_webpos registerType=kioskBridge $registerNbr$= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$$starttime$$ latest=$$endtime$$"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

To refer to a field within map, put the name of the field inside $. Tokens passed into the search are referred to using double $.

... | map search="search index=tcxelevate_webpos registerType=kioskBridge $registerNbr$= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$$starttime$$ latest=$$endtime$$"
---
If this reply helps you, Karma would be appreciated.

dmarling
Builder

Do you mind editing your question and re-posting your query, but using the code sample box so the formatting is protected? Your query is getting roughed up a bit due to some escaping happening unintentionally with astericks. I believe this is your query but feel free to correct me:

index=tcxelevate_webpos registerType=kioskBridge registerNbr=* countryCode=US tagName=CLIENT_INITIALIZATION enterpriseId=prod storeId=* storeId!=4184 AND storeId!=0001 
| eval regNbr=registerNbr 
| eval storeNbr=storeId 
| spath output="Store" "storeId" 
| spath output="Country" "countryCode" 
| spath output="Lane" "registerNbr" 
| spath output="Time" "timestamp" 
| spath output="Reloads" "tagName" 
| localize timebefore=5m 
| map search="search index=tcxelevate_webpos registerType=kioskBridge registerNbr= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$starttime$ latest=$endtime$" 
| spath output="Command" "command" 
| eval request=case(true(), "debug") 
| eval response=case(true(), "debug") 
| stats values(Country) as Country, latest(Command) as Command, latest(request) as Request, latest(response) as Response, values(Reloads) as Reloads by Store, Lane, Time 
| table Time, Reloads, Command, Request, Response, Store, Lane, Country
If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...