map
map
Synopsis
Looping operator, performs a search over each search result.
Syntax
map (<searchoption>|<savedsplunkoption>) [maxsearches=int]
Required arguments
- <savedsplunkoption>
- Syntax: <string>
- Description: Name of a saved search. No default.
- <searchoption>
- Syntax: [ <subsearch> ] | search="<string> "
- Description: The search to map. The search argument can either be a subsearch to run or just the name of a saved search. The argument also supports the metavariable:
$_serial_id$, a 1-based serial number within map of the search being executed, for example:[search starttimeu::$start$ endtimeu::$end$ source="$source$"]No default.
Optional arguments
- maxsearches
- Syntax: maxsearches=<int>
- Description: The maximum number of searches to run. This will generate a message if there are more search results. Defaults to 10.
Description
For each input search result, takes the field-values from that result and substitutes their value for the $variable$ in the search argument.
Examples
Example 1: Example usage
error | localize | map mytimebased_savedsearchExample 2: Example usage
... | map search="search starttimeu::$start$ endtimeu::$end$" maxsearches=10See also
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the map command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 View the Article History for its revisions.