map
Description
Executes a search query for each incoming event.
Syntax
map <subsearch> [<maxsearches>]
Mandatory Arguments
| Parameter | Syntax | Description |
|---|---|---|
<subsearch> | [ subsearch ] | The query must be enclosed in square brackets and start with a source (source, script, makeresults, etc.). |
Fields whose names are written with dollar signs ($<field>$) will be replaced with corresponding values from the incoming events.
If a field name is passed as a string (in double quotes), its value will not be substituted.
...
| eval res = "$my_field$"
In this example, $my_field$ will not be replaced with the value from the input data.
Optional Arguments
| Parameter | Syntax | Default | Description |
|---|---|---|---|
<maxsearches> | maxsearches=<int> | 10 | The maximum number of search queries. |
A maxsearches=0 value does not indicate unlimited search.
Examples
Example 1
In this example, maxsearches=3 limits the execution of the subquery to the first three incoming events from math_logs. Inside the subquery, the value $host_name$ is substituted from the current event into the variable res.
source math_logs
| map maxsearches=3
[source tweets
| eval res = $host_name$ ]
Example 2
In this example, map executes the subquery for each event, and then where keeps only rows where res matches the required value.
source math_logs
| map
[source tweets
| eval res = $host_name$ ]
| where res == "host121"
Example 3
In this example, the multivalue field $index$ is substituted into the subquery, and the mvcount function counts the number of its values.
source tweets8 qsize=1
| map
[source math_logs | eval res = mvcount($index$) ]