Hi, I tried to do a base search, then pass fields to subsearch as both a filter and stat columns. I tested with following:
index="_internal" | eval MyUser=user | table MyUser bytes | map search="search index="_audit" user=$MyUser$ | stats values(user), values($MyUser$) as MyUser, values($bytes$) as bytes, values(action) "
user=$MyUser$ works but the columns for fields MyUser and bytes are empty.
Please help. Thanks.
Besides, will there be better and more efficient way to do so?
Thanks a lot.
/ST Wong
What are you trying to do? I don't believe there is a co-relation between user & bytes in _internal AND user & bytes in _audit. Try this search, is this what you're after?
(index=_internal OR index=_audit) | stats values(bytes) as bytes values(action) as actions dc(index) as idx by user | where idx=2
Hi, thanks. I just try to do a base search, then pass fields to subsearch as both a filter and stat columns as mentioned. As i don't have much sample data for my trial splunk cloud instance, I just use _internal and _audit to verify the method, for learning the map function. Sorry to cause you confusion.
Thanks.
Hi stwong,
I had this problem and I think that it's a bug.
I solved it with a workaround, inserting in the base search an eval command with the missed fields: e.g. | eval myfield=myfield
In this way I found the field also in the panel search.
Bye.
Giuseppe
Hi Giuseppe,
Thanks, I modified my search as following but doesn't work still:
index="_internal" | eval MyUser=user | table MyUser bytes | eval MyUser=MyUser | eval bytes=bytes | map search="search index="_audit" user=$MyUser$ | stats values(user), values($MyUser$) as MyUser, values($bytes$) as bytes, values(action) "
shall I add the eval statement like that? Thanks again.