map

Use the map command to join a view that was created using the createview command, with the groups identified by the link command to create new properties.

Syntax

map <subquery> using <view_name>

Parameters

The following table lists the parameters used in this command, along with their descriptions.

Parameter Description

subquery

The subquery to describe the new properties to associate with the groups. It has two parts:

  • A where clause that is evaluated for each group: The where clause can use fields from the current group, as well as fields from a view created using the createview command. This enables searching across or joining of two groups

  • An eval statement: The fields created by the eval statement are set on the groups that matched the where clause. A group will be matched only once.

view_name

The name of the view to use in the map command.

For examples of using this command in typical scenarios, see:

The following command creates a property to mark all the entity groups with application error:

* | link Entity, Label 
  | createview [ 
    * | where Label = 'Application Error' 
    | rename Entity as 'Application Error Entity' 
    ] as 'Application Error View' 
  | map [ * | where Entity = 'Application Error Entity' 
    | eval 'Has Issue' = Yes 
    ] using 'Application Error View'

Was this article helpful?