I have a sourcetype called sourcetype1 that contains the following three events:
foo=a
foo=b
foo=c
I then have a sourcetype called sourcetype2 that contains the following 4 events:
bar=x, othervalue=4
bar=y, othervalue=3
bar=z, othervalue=2
bar=a, othervalue=1
If I do the simple search
index=myindex sourcetype=sourcetype1 | fields foo
I get back the expected 3 events: a, b, c.
I then try to use the map command
index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=$foo$"
and I get the error
[SimpleResultsTable module] Server reported HTTP status=400 while getting mode=results Error in 'map' command: Unable to run query 'search index=index2 bar=a'.
which makes me sad.
To further my confusion if I try a search just to get some different results
index=myindex sourcetype=sourcetype1 | fields foo | map search="search index=myindex sourcetype=sourcetype2 bar=x"
I end up the results
a
b
c
which acts as if the subsearch never occurred. Any thoughts?
Thanks,
Kevin
Is all the search and indexing on one Splunk instance, or do you have multiple indexers and/or a separate search head? Until 4.2, the map
command will not issue searches in distributed mode. Also, I believe that unless you specify otherwise, the maxsearches
option to the map
command defaults to 1, so you should set that higher.
Also, I'm assuming you're replacing real terms with foo
and bar
and a
and b
etc., but the error you get is usually because the search you've constructed is syntactically invalid. Try perhaps putting quotes around the argument:
... | map search="search index=index2 bar=\"$foo$\""
Better late than clever 😛
Map has been fixed for 4.2.4
I second the claim that this doesn't work. I only get the results from the original search, which is annoying as otherwise this would be a very useful command.
The only time I have ever see this actually work as claimed is when invoking after a "| metadata" search, and then using map to iterate over hosts as suggested here: http://answers.splunk.com/questions/8175/iterate-a-search-over-a-collection-of-variables
Are the results that come back from a metadata search different from normal events?
I guess I will log a case about it.
Yeah, ummm, I've never had much (okay, ANY) success with the map command. I would recommend using the python API that Splunk ships with to automate this.
@gkanapathy,
Good call on the quotes around $foo$. Single quotes work as well. I also added maxsearches. So that fixes the error I was getting. Running the fixed syntax still yields me with the 3 results that the initial search produces. Its as if the map command isn't being run at all.
Right now I'm running this command against a single index, multiple sourcetypes (which differs from above, I'll update to reflect), on a single Splunk instance.