A. I have a database catalog built using DB query. It has 3 columns : Object Type , Name , description
B. I feed in the name as an parameter to search in log files for its occurrences
index=db NAME=* | map to index=log* search "NAME"
This returns source and source type.
Question
How will create a report that includes all five columns from 2 searches?
Ex: Object Type , Name , description, source, sourcetype.
Try like this
your DB Query giving field "Object Type" NAME description | rename "Object Type" as objType
| map maxsearches=10000 search="search index=log NAME=$NAME |..rest of search giving fields source sourcetype | eval objType=\"$objType$\" | eval description=\"$description$\" "
It fails:
index="ehr_uta_db" OBJECT_TYPE="Field" NAME=* |dedup NAME OBJECT_TYPE DESCR | map search="search index="ehr_uat_prcs" $NAME$" |eval OBJECT_TYPE=\$OBJECT_TYPE\$ as ObjectType | eval NAME=\$NAME\$ as ObjectName | table ObjectType ObjectName source ReportID
Try this version
index="ehr_uta_db" OBJECT_TYPE="Field" NAME=* |dedup NAME OBJECT_TYPE DESCR | fields NAME OBJECT_TYPE DESCR | map search="search index=\"ehr_uat_prcs\" $NAME$ | eval OBJECT_TYPE=\"$OBJECT_TYPE$\" | eval ObjectName=\"$NAME$\" | table ObjectType ObjectName source ReportID"