How do I cascade intermediate search results to a ...

bsivakumar · ‎06-27-2017

A. I have a database catalog built using DB query. It has 3 columns : Object Type , Name , description
B. I feed in the name as an parameter to search in log files for its occurrences
index=db NAME=* | map to index=log* search "NAME"
This returns source and source type.
Question
How will create a report that includes all five columns from 2 searches?
Ex: Object Type , Name , description, source, sourcetype.

somesoni2 · ‎06-27-2017

Try like this

your DB Query giving field "Object Type" NAME description | rename "Object Type" as objType
| map maxsearches=10000 search="search index=log NAME=$NAME |..rest of search giving fields source sourcetype | eval objType=\"$objType$\" | eval description=\"$description$\" "

bsivakumar · ‎06-27-2017

It fails:
index="ehr_uta_db" OBJECT_TYPE="Field" NAME=* |dedup NAME OBJECT_TYPE DESCR | map search="search index="ehr_uat_prcs" $NAME$" |eval OBJECT_TYPE=\$OBJECT_TYPE\$ as ObjectType | eval NAME=\$NAME\$ as ObjectName | table ObjectType ObjectName source ReportID

somesoni2 · ‎06-27-2017

Try this version

index="ehr_uta_db" OBJECT_TYPE="Field" NAME=* |dedup NAME OBJECT_TYPE DESCR | fields NAME OBJECT_TYPE DESCR | map search="search index=\"ehr_uat_prcs\" $NAME$ | eval OBJECT_TYPE=\"$OBJECT_TYPE$\"  | eval ObjectName=\"$NAME$\" | table ObjectType ObjectName source ReportID"

How do I cascade intermediate search results to a final report?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...