map
Description
Executes a search query for each incoming event.
Syntax
map <subsearch> [<maxsearches>]
Mandatory Arguments
| Parameter | Syntax | Description |
|---|---|---|
<subsearch> | [ subsearch ] | The query must be enclosed in square brackets and start with a source (source, script, makeresults, etc.). |
info
Fields whose names are written with dollar signs ($<field>$) will be replaced with corresponding values from the incoming events.
danger
If a field name is passed as a string (in double quotes), its value will not be substituted.
Example
...
| eval res = "$my_field$"
In this example, $my_field$ will not be replaced with the value from the input data.
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
<maxsearches> | maxsearches=<int> | 10 | The maximum number of search queries. |
warning
A maxsearches=0 value does not indicate unlimited search.
Query Examples
In the first example, sub-queries will be executed for the first three events from the math_logs index. The variable res will be assigned the value of host_name from the incoming event.
Example №1
source math_logs
| map maxsearches=3
[source tweets
| eval res = $host_name$ ]
Example №2
source math_logs
| map
[source tweets
| eval res = $host_name$ ]
| where res == "host121"
Example №3
source tweets8 qsize=1
| map
[source math_logs | eval res = mvcount($index$) ]