map command is a looping operator that runs a search repeatedly for each input event or result. You can run the map command on a saved search or an ad hoc search.
This command is considered risky because, if used incorrectly, it can pose a security risk or potentially lose data when it runs. As a result, this command triggers SPL safeguards. See SPL safeguards for risky commands in Securing the Splunk Platform.
The required syntax is in bold.
- (<searchoption> | <savedsplunkoption>)
You must specify either <savedsplunkoption> or <searchoption>.
- Syntax: <string>
- Description: The name of a saved search to run for each input result.
- Default: No default.
- Syntax: search="<string>"
- Description: An ad hoc search to run for each input result. For example:
...| map search="search index=_internal earliest=$myearliest$ latest=$mylatest$".
- Default: No default.
- Syntax: maxsearches=<int>
- Description: The maximum number of searches to run. A message is generated if there are more search results than the maximum number that you specify. Zero ( 0 ) does not equate to unlimited searches.
- Default: 10
map command is a dataset processing command. See Command types.
A subsearch can be initiated through a search command such as the
map command. See Initiating subsearches with search commands in the Splunk Cloud Platform Search Manual.
You cannot use the
map command after an
appendpipe command in your search pipeline.
Variable for field names
When using a saved search or a literal search, the
map command supports the substitution of $variable$ strings that match field names in the input results. A search with a string like $count$, for example, will replace the variable with the value of the
count field in the input search result.
When using the
map command in a dashboard
<form> or a saved search, use double dollar signs ($$) to specify a variable string. For example,
$$count$$. See Dashboards and forms.
Search ID field
map command also supports a search ID field, provided as $_serial_id$. The search ID field will have a number that increases incrementally each time that the search is run. In other words, the first run search will have the ID value 1, and the second 2, and so on.
1. Invoke the map command with a saved search
error | localize | map mytimebased_savedsearch
2. Map the start and end time values
... | map search="search starttimeu::$start$ endtimeu::$end$" maxsearches=10
1. Use a Sudo event to locate the user logins
This example illustrates how to find a Sudo event and then use the
map command to trace back to the computer and the time that users logged on before the Sudo event. Start with the following search for the Sudo event.
sourcetype=syslog sudo | stats count by user host
This search returns a table of results.
Pipe these results into the
map command, substituting the username.
sourcetype=syslog sudo | stats count by user host | map search="search index=ad_summary username=$user$ type_logon=ad_last_logon"
It takes each of the three results from the previous search and searches in the
ad_summary index for the logon event for the user. The results are returned as a table.
|10/12/16 8:31:35.00 AM||Workstation$||10/12/2016 08:25:42||userA||10/12/2016 08:31:35 AM|
(Thanks to Splunk user Alacercogitatus for this example.)
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5
Feedback submitted, thanks!