#
# Struggling with "map" command? "join" may do the same job.
# join vs map
# ( This might not be a good example. But, at least you can try the sample and experience the search command with real results )
#
Map is good if it works. Sometimes for some reason, map result is not what you wanted.
For example, as of today ( Mar. 2012), map fails to pass a character which needs to escape.
A Windows path like "C:\Users" as a value passed to "map" would fail because Splunk needs to escape "\" as follows; "C:\\Users".
Anyway, let's try a search with "map" command.
We're going to identify top 5 sources indexed yesterday and check the last hour's volume for the top five.
( This is not a great example. But, you can test how the search works with Splunk internal logs. So, it is easy to test...)
# Assuming this is a search head with multiple search peers so that you can get splunk_server field.
index=_internal source="*metrics.log*" per_source_thruput earliest=-1h@h latest=@h
| stats sum(kb) as VolKB by series, splunk_server, host
| sort - VolKB
| head 5
| map [ search index=_internal source="*metrics.log*" series=$series$ per_source_thruput earliest=-1d@d latest=@d
| stats sum(kb) as VolKB by splunk_server, series, host
| sort - VolKB by series
| sort - series ]
| streamstats count by series
- streamstats is additional to see the "rank"
#
# Actually we can do the same job with join
#
index=_internal source="*metrics.log*" per_source_thruput earliest=-1d@d latest=@d
| join series [ search index=_internal source="*metrics.log*" per_source_thruput earliest=-1h@h latest=@h
| stats sum(kb) as VolKB by series, splunk_server, host
| sort - VolKB
| head 5
| table series ]
| stats sum(kb) as VolKB by splunk_server, series, host
| sort - VolKB by series
| sort - series
| streamstats count by series
| where count <= 5
- streamstats is not an optional to this "join" search to select top five.
