How do I use the results of one search (2 sources) as input to a second search (3rd source)?
Here is what I have (but it isn’t working):
index=top10 (source=/home/oracle/workdir/reboots_Requests_Summary.csv NOT [search source=/home/oracle/workdir/reboots_summary.csv dedup PREMISE | fields + PREMISE]) INCLUDE [search source=/home/oracle/workdir/overall_ac_power.csv dedup PREMISE | fields + PREMISE]|where QUEUED_TIME
Breakdown is this
Reboots_requests_Summary.csv is compared against reboots_summary.csv by PREMISE ID. If there is NOT a matching PREMISE entry in reboots_summary then include that event in the results (THIS WORKS)
Skipping the INCLUDE search for now (will come back to this later)
The Where clause compares the results of the first search (step 1) so that only results where the QUEUED_TIME is less than the RESULT_TIME are selected (THIS WORKS)
Display PREMISE, QUEUED_TIME and RESULT_TIME in a table (THIS WORKS)
Back to the INCLUDE (step 2). First this is when I add this I get no results so it isn’t working. What I need to do is to use the results of step 1 to search a 3rd file so I get events that are identified by PREMISE that are in-between QUEUED_TIME and RESULT_TIME. I would need to run a transaction by PREMISE where the transaction starts with (field)=Ethpwrloss and ends with (field)=ethpwrlossres and then get the duration.
The transaction and duration are easy enough. I’m stuck on the search….
Hi,
The way you used the [ and ] are correct. What is the result of that search?
[search source=/home/oracle/workdir/reboots_summary.csv dedup PREMISE | fields + PREMISE]) INCLUDE [search source=/home/oracle/workdir/overall_ac_power.csv dedup PREMISE | fields + PREMISE]
index=top10 (source=/home/oracle/workdir/reboots_Requests_Summary.csv NOT [search source=/home/oracle/workdir/reboots_summary.csv dedup PREMISE|table PREMISE])|table PREMISE
This works
index=top10 (source=/home/oracle/workdir/reboots_Requests_Summary.csv NOT [search source=/home/oracle/workdir/reboots_summary.csv dedup PREMISE|table PREMISE]) [search source=/home/oracle/workdir/overall_ac_power.csv|table PREMISE]
but sadly no joy on this one
Hi dbcase,
I think you can just ommit the INCLUDE operator, this will add the results of the search [search source=/home/oracle/workdir/overall_ac_power.csv dedup PREMISE | fields + PREMISE] as a filter to the previous events. The full search would ne smth like:
index=top10 (source=/home/oracle/workdir/reboots_Requests_Summary.csv NOT [search source=/home/oracle/workdir/reboots_summary.csv | dedup PREMISE | fields + PREMISE]) [search source=/home/oracle/workdir/overall_ac_power.csv | dedup PREMISE | fields + PREMISE]|where QUEUED_TIME
I just didn't understand the last arguments "where QUEUED_TIME".
Hope this helps
odd, things keep getting truncated......
I still don't get results but let me ask a further question....
Once the first part of the query (within the () ) executes it then matches it with the second part of the query by using the common field PREMISE, correct?
Yes, but I think you should use the command "table PREMISE" instead of "fields + PREMISE". What is the result of that search:
source=/home/oracle/workdir/overall_ac_power.csv | dedup PREMISE | fields + PREMISE?? If it's a table with PREMISE and it's values it's correct and it will filter the other results.
And I'm not sure if INCLUDE is the right operator, no other operator I've tried seems work
Hey Gfreitas! Thanks for the prompt reply! I dunno why but the details on what is happening were left off my original question. I just posted them in the comments.
Summary is, if the INCLUDE [search source=/home/oracle/workdir/overall_ac_power.csv dedup PREMISE | fields + PREMISE] portion is OMITTED then I get results, otherwise no results 😞
Breakdown is this
Reboots_requests_Summary.csv is compared against reboots_summary.csv by PREMISE ID. If there is NOT a matching PREMISE entry in reboots_summary then include that event in the results (THIS WORKS)
Skipping the INCLUDE search for now (will come back to this later)
The Where clause compares the results of the first search (step 1) so that only results where the QUEUED_TIME is less than the RESULT_TIME are selected (THIS WORKS)
Display PREMISE, QUEUED_TIME and RESULT_TIME in a table (THIS WORKS)
Back to the INCLUDE (step 2). First this is when I add this I get no results so it isn’t working. What I need to do is to use the results of step 1 to search a 3rd file so I get events that are identified by PREMISE that are in-between QUEUED_TIME and RESULT_TIME. I would need to run a transaction by PREMISE where the transaction starts with (field)=Ethpwrloss and ends with (field)=ethpwrlossres and then get the duration.
The transaction and duration are easy enough. I’m stuck on the search….