I don't seem to be able to wrap my head around this search. I have a set of data that uses a unique ID to tie a chain of actions together across multiple events. I want to search through the index, find the IDs from all of the events that match match_criteria1
, then return any event in the index that has one of those IDs.
name ID other field
------ --- ----------------
event1 A match_criteria1
event2 B match_criteria1
event3 C match_criteria1
event4 A something
event5 B something
event6 D something else
event7 E other data
event8 E other data 2
Should return:
name ID other field
------ --- ----------------
event1 A match_criteria1
event2 B match_criteria1
event3 C match_criteria1
event4 A something
event5 B something
Any ideas?
Try something like this
index=Blah sourcetype=blah [search index=Blah sourcetype=blahh other_field=match_criteria1 | stats count by ID | table ID ] | table name ID other_field
Hmm.. that's exactly what I've seen examples of and tried, but it isn't returning any results. I need to do an eval on the criteria field, perhaps that is messing it up.
If you append a search like that, which is generating a single column table, is it equivalent to
"field=a OR field=b OR field=c"?
- OR -
"a OR b OR c"
Yes The Subsearch with generate the OR condition like that..
Could you share the query that you tried (and failed), we can see any possible issues with that?