map
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
map
Synopsis
Looping operator, performs a search over each search result.
Syntax
map (<searchoption>|<savedsplunkoption>) [<maxsearchesoption>]
Arguments
- <maxsearchesoption>
- Syntax: maxsearches=<int>
- Description: The maximum number of searches to run. This will generate a message if there are more search results.
- <savedsplunkoption>
- Syntax: <string>
- Description: Name of a saved search.
- <searchoption>
- Syntax: search="<string>"
- Description: The search to map. The search argument can either be a subsearch to run or just the name of a savedsearch. The argument also supports the metavariable:
$_serial_id$, a 1-based serial number within map of the search being executed.
Description
For each input search result, takes the field-values from that result and substitutes their value for the $variable$ in the search argument.
Examples
Example 1: Example usage
error | localize | map mytimebased_savedsearchExample 2: Example usage
... | map search="search starttimeu::$start$ endtimeu::$end$" maxsearches=10
See also
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.