Running Mapped Subsearches Without Limits In Splunk

If you’re running saved searches in Splunk as subsearches inside of the map command, they are bound by the subsearch limitation. This is an alternative command that doesn’t have this limitation as it starts a new job for each subsearch. To use it, instead of calling: | makeresults | map test You’re using: | makeresults | mapsearch search=test Missing the full flexibility of map, the command also passes each event’s values as input parameters to each called saved search....

March 27, 2022 · 1 min · Marcus Schiesser