Hi ,
I have three sourcetype. It's a complicated question. I'll try my best to let you understand what I mean.
sourcetypeA
id X Y Z
sourcetypeB
id keyword
sourcetypeC
X W V
W+V may be equal 'Y' or 'Z'.It depends on the length. X isn't the only value.
I want to find the keyword of B is 'success', but the result doesn't exist in sourcetype C, and display 'id'.
search A+B
...sourcetype="A" |eval Check_Y=len(Y)|eval Check_Z=len(Z)|where Check_Y>10 OR Check_Z>10 | search [search sourcetype="B" "success" |fields id]
But it always show 'The specified search is too large....'.
In addition to this, how could I get the id?
I ever thought about diff, but 'The diff command should not be used for events that have more than 500 lines, because the results may not be accurate.'.
And how could I just let the results of subsearch use the "value" to outsearch, rather than field name and value?
I thought I can't use 'Y=XXX' or 'Z=XXX' on sourcetype C.
Or any other command can help me to achieve my goals?
I am very grateful to have you help. Thanks a lot. 😃
assuming id, V, W, X, Y, Z, and keyword are all being extracted as fields.
Lets start with stitching together A and B:
sourcetype=A OR sourcetype=B | stats first(Y) as Y first(Z) as Z first(keyword) as keyword by id | search keyword="success"
That will stitch together sourcetype A and B and allow you to find just the pairs where keyword='success'.
Then you could tack on the results for sourcetype C. (Quite possibly someone can find a way to do this without the append
command, possibly using the transaction
command's more arcane 'transitive' mode.)
sourcetype=A OR sourcetype=B | stats first(Y) as Y first(Z) as Z first(keyword) as keyword by id | search keyword="success"
| append [search sourcetype=C ] | stats first(Y) as Y first(Z) as Z first(V) as V first(W) as W by X
and now you'll have one row with the full stitched together combination of V, W, X, Y Z, only for the rows where the keyword in B was 'success'
And in general, whenever you want the subsearch results to use the "value" instead of field="value", you just tack on a rename to your subsearch like so:
| rename id to search
the subsearch logic is special cased so that fields called search
or query
, it will just use the values and ignore the field names.
assuming id, V, W, X, Y, Z, and keyword are all being extracted as fields.
Lets start with stitching together A and B:
sourcetype=A OR sourcetype=B | stats first(Y) as Y first(Z) as Z first(keyword) as keyword by id | search keyword="success"
That will stitch together sourcetype A and B and allow you to find just the pairs where keyword='success'.
Then you could tack on the results for sourcetype C. (Quite possibly someone can find a way to do this without the append
command, possibly using the transaction
command's more arcane 'transitive' mode.)
sourcetype=A OR sourcetype=B | stats first(Y) as Y first(Z) as Z first(keyword) as keyword by id | search keyword="success"
| append [search sourcetype=C ] | stats first(Y) as Y first(Z) as Z first(V) as V first(W) as W by X
and now you'll have one row with the full stitched together combination of V, W, X, Y Z, only for the rows where the keyword in B was 'success'
And in general, whenever you want the subsearch results to use the "value" instead of field="value", you just tack on a rename to your subsearch like so:
| rename id to search
the subsearch logic is special cased so that fields called search
or query
, it will just use the values and ignore the field names.