I'm trying to create a query that can filter if a heartbeat has not occurred. Right now I have two separate queries I need to find a way to combine into one:
Query 1:
index=foo source="bar.log" sourcetype="baz" Device.statusReport earliest=-10d latest=-30m
| stats values(deviceId) as SeenIds
This gives me Ids of devices I'm expecting to see
Query 2:
index=foo source="bar.log" sourcetype="baz" Device.statusReport earliest=-30m
| stats values(deviceId) as LiveIds
This gives me Ids of devices that have sent a successful heartbeat in the last 30 minutes. The ideal way I would combine these is to filter out LiveIds from SeenIds, so I could get a list of devices that are potentially in trouble. How can I do so?
You can use subsearch to do that.
index=foo source="bar.log" sourcetype="baz" Device.statusReport earliest=-10d latest=-30m
| search NOT
[
index=foo source="bar.log" sourcetype="baz" Device.statusReport earliest=-30m
| stats values(deviceId) as deviceId
]
| stats values(deviceId) as SeenIds
Note: Make sure that you use "deviceId" (your field name) and not as "LiveIds" so that the filtering works.
You can use subsearch to do that.
index=foo source="bar.log" sourcetype="baz" Device.statusReport earliest=-10d latest=-30m
| search NOT
[
index=foo source="bar.log" sourcetype="baz" Device.statusReport earliest=-30m
| stats values(deviceId) as deviceId
]
| stats values(deviceId) as SeenIds
Note: Make sure that you use "deviceId" (your field name) and not as "LiveIds" so that the filtering works.
That looks promising, but when I try it I get "Search Factory: Unknown search command 'index'."
The above was close, what actually worked after I played around with it was the following:
foo source="bar.log" sourcetype="baz" Device.statusReport earliest=-10d latest=-30m | table deviceId | dedup deviceId
| search NOT
[search index=foo source="bar.log" sourcetype="baz" Device.statusReport earliest=-30m | table deviceId | dedup deviceId
]