If you’re running saved searches in Splunk as subsearches inside of the map command, they are bound by the subsearch limitation.
This is an alternative command that doesn’t have this limitation as it starts a new job for each subsearch.
To use it, instead of calling:
| makeresults | map test You’re using:
| makeresults | mapsearch search=test Missing the full flexibility of map, the command also passes each event’s values as input parameters to each called saved search....
The Splunk SDK for Python is returning for multi-values that only have one entry a string instead of an array. To enforce arrays, you can do the following workaround:
If you’re using the @splunk/search-job API and want to return more than the 100 results (the default value), you’ll have to pass count to the getResults function, e.g.:
new SearchJob.create({ search: myQuery, }).getResults({ count: 500 });
In case you’re using the @splunk/search-job API you might find it annoying that the properties of the returned objects are all of type string. To fix this, I wrote a little type mapper (The unit test shows how to use it):
How to programmatically connect a search datasource to a Splunk visualization (without using the dashboard):