Hello all,
I have two searches (shown below) where in the first, I extract two fields Code and Serial, and in the second, I search for specific events that contain the problem number PMN 23
, and the field extracted is called PMN (1st field extracted from 2nd search) that ranges across multiple reporting serial (2nd field extracted from 2nd search) , I would like to compare the Serial and reporting serial fields from the two searches for similarity, and then keep only the ones that match and put them in a table/stat (whatever works really). However, I'm having problems running the two searches concurrently and comparing. Is there any way that I can do this?
Thank you
Search 1
| search index=* sourcetype=CodeLevels "Code Levels"
| rex "(?<Code>.*),(?<Serial>.*)"
Search 2
|search index=* sourcetype=syslog "PMN 23"
| rex "(?<PMN>.*),(?<reporting serial>.*)"
You could do this
index=* (sourcetype=CodeLevels "Code Levels") OR (sourcetype=syslog "PMN 23")
| rex "(?<Code>.*),(?<Serial>.*)"
| eval PMN=if(sourcetype=="syslog",Code,null())
| eval Code=if(sourcetype=="CodeLevels",Code,null())
| stats count values(Code) as Code values(PMN) as PMN by Serial
| where count > 1 AND isnotnull(Code) AND isnotnull(PMN)
That's just one search, so it is more efficient too. It is not testing for "similar" value of Serial and "reporting serial", but an exact match.
What would you consider "similar?"
You could do this
index=* (sourcetype=CodeLevels "Code Levels") OR (sourcetype=syslog "PMN 23")
| rex "(?<Code>.*),(?<Serial>.*)"
| eval PMN=if(sourcetype=="syslog",Code,null())
| eval Code=if(sourcetype=="CodeLevels",Code,null())
| stats count values(Code) as Code values(PMN) as PMN by Serial
| where count > 1 AND isnotnull(Code) AND isnotnull(PMN)
That's just one search, so it is more efficient too. It is not testing for "similar" value of Serial and "reporting serial", but an exact match.
What would you consider "similar?"
Sorry should have been more clear, by similar I mean exact match, and thank you!
index=blabla | my_search_request OR [index=blabla2 | my_search_request_2]
Can you explain this answer? I don't understand what my_search_request
would look like, so I am unclear how this solution would work. Thanks!
I thought that raby1996 only needed to know how to run two searches at the same time. Please excuse me if anyway I caused any confusion. I see that your answer used also the Boolean operator OR, but your answer is very complete definitely.