Community:Search Report: Use join or map

From Splunk Wiki

Jump to: navigation, search
#  
# Struggling with "map" command?  "join" may do the same job. 
# join vs map 
# ( This might not be a good example. But, at least you can try the sample and experience the search command with real results )
#

Map is good if it works. Sometimes for some reason, map result is not what you wanted. 
For example, as of today ( Mar. 2012), map fails to pass a character which needs to escape. 
A Windows path like "C:\Users" as a value passed to "map" would fail because Splunk needs to escape "\" as follows; "C:\\Users".


Anyway, let's try a search with "map" command.

We're going to identify top 5 sources indexed yesterday and check the last hour's volume for the top five.
( This is not a great example. But, you can test how the search works with Splunk internal logs. So, it is easy to test...)

# Assuming this is a search head with multiple search peers so that you can get splunk_server field.
index=_internal source="*metrics.log*" per_source_thruput earliest=-1h@h latest=@h
  | stats sum(kb) as VolKB by series, splunk_server, host
  | sort - VolKB 
  | head 5 
  | map [ search index=_internal source="*metrics.log*" series=$series$ per_source_thruput earliest=-1d@d latest=@d 
       | stats sum(kb) as VolKB by splunk_server, series, host
       | sort - VolKB by series
       | sort - series ]
  | streamstats count by series

 - streamstats is additional to see the "rank"

#
# Actually we can do the same job with join
#


index=_internal source="*metrics.log*" per_source_thruput earliest=-1d@d latest=@d
  | join series [ search index=_internal source="*metrics.log*" per_source_thruput earliest=-1h@h latest=@h
                   | stats sum(kb) as VolKB by series, splunk_server, host
                   | sort - VolKB 
                   | head 5 
                   | table series ]   
  | stats sum(kb) as VolKB by splunk_server, series, host   
  | sort - VolKB by series   
  | sort - series
  | streamstats count by series
  | where count <= 5

- streamstats is not an optional to this "join" search to select top five.  

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk