Documentation > Splunk > Search Reference > map

Search Reference

 


Introduction
Search Reference Overview
Search Commands and Functions
Search Command Reference
Internal Search Commands
Search in the CLI

map

Contents

map

Synopsis

Looping operator, performs a search over each search result.

Syntax

map (<searchoption>|<savedsplunkoption>) [maxsearches=int]

Required arguments

<savedsplunkoption>
Syntax: <string>
Description: Name of a saved search. No default.
<searchoption>
Syntax: [ <subsearch> ] | search="<string>"
Description: The search to map. The search argument can either be a subsearch to run or just the name of a saved search. The argument also supports the metavariable: $_serial_id$, a 1-based serial number within map of the search being executed, for example: [search starttimeu::$start$ endtimeu::$end$ source="$source$"]. No default.

Optional arguments

maxsearches
Syntax: maxsearches=<int>
Description: The maximum number of searches to run. This will generate a message if there are more search results. Defaults to 10.

Description

For each input (each result of a previous search), the map command iterates through the field-values from that result and substitutes their value for the $variable$ in the search argument. For more information,

Examples

Example 1: Invoke the map command with a saved search.

error | localize | map mytimebased_savedsearch

Example 2: Maps the start and end time values.

... | map search="search starttimeu::$start$ endtimeu::$end$" maxsearches=10

Example 3: This example illustrates how to find a sudo event and then use the map command to trace back to the computer and the time that users logged on before the sudo event. Start with the following search for the sudo event:

sourcetype=syslog sudo | stats count by user host

Which returns a table of results, such as:

User Host Count
userA serverA 1
userB serverA 3
userA serverB 2

When you pipe these results into the map command, substituting the username:

sourcetype=syslog sudo | stats count by user host | map search="search index=ad_summary username=$user$ type_logon=ad_last_logon

It takes each of the three results from the previous search and searches in the ad_summary index for the user's logon event. The results are returned as a table, such as:

_time computername computertime username usertime
10/12/12 8:31:35.00 AM Workstation$ 10/12/2012 08:25:42 userA 10/12/2012 08:31:35 AM

(Thanks to Alacercogitatus for this example.)

See also

gentimes, search

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the map command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Map"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!