Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF



The map command is a looping operator that runs a search repeatedly for each input event or result. You can run the map command on a saved search or an ad hoc search.


map (<searchoption> | <savedsplunkoption>) [maxsearches=int]

Required arguments

Syntax: <string>
Description: Name of a saved search to run for each input result.
Default: No default.
Syntax: search="<string>"
Description: A literal search to run for each input result. For example:
...| map search="search index=_internal earliest=$myearliest$ latest=$mylatest$".
Default: No default.

Optional arguments

Syntax: maxsearches=<int>
Description: The maximum number of searches to run. A message is generated if there are more search results than the maximum number that you specify.
Default: 10


When using a savedsearch or a literal search, the map command supports the substitution of $variable$ strings that match field names in the input results. A search with a string like $count$, for example, will replace the string with the value of the count field in the input search result.

The map command also supports a search ID field, provided as $_serial_id$. The search ID field will have a number that increases incrementally each time that the search is run. In other words, the first run search will have the ID value 1, and the second 2, and so on.

Basic examples

1. Invoke the map command with a saved search

error | localize | map mytimebased_savedsearch

2. Map the start and end time values

... | map search="search starttimeu::$start$ endtimeu::$end$" maxsearches=10

Extended examples

1. Use a Sudo event to locate the user logins

This example illustrates how to find a Sudo event and then use the map command to trace back to the computer and the time that users logged on before the Sudo event. Start with the following search for the Sudo event.

sourcetype=syslog sudo | stats count by user host

This search returns a table of results.

User Host Count
userA serverA 1
userB serverA 3
userA serverB 2

Pipe these results into the map command, substituting the username.

sourcetype=syslog sudo | stats count by user host | map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"

It takes each of the three results from the previous search and searches in the ad_summary index for the logon event for the user. The results are returned as a table.

_time computername computertime username usertime
10/12/16 8:31:35.00 AM Workstation$ 10/12/2016 08:25:42 userA 10/12/2016 08:31:35 AM

(Thanks to Splunk user Alacercogitatus for this example.)

See also

gentimes, search


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the map command.


This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 7.0.0


You list the function and default values of "maxsearches" but not the upper limit. I assume that this is related to the "subsearch" limit, but this should all be explained with specifics.

February 4, 2017

The map syntax in this documentation is incorrect:
1. the [... | map search="....." maxsearches=n] syntax does not work for stats commands of a certain complexity. More specifically:

- "... | stats count" works
- BUT "... | stats count(eval(x="..."))" does not work

2. What works with both commands is the following syntax:

- "... | map [....search....] maxsearches=n"

so replace quotes with square brackets and ignore the "search=".

August 4, 2016

What is the max value for maxsearches? Is there a way to NOT have a max (set to 0 or -1)?

August 18, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters