I have the following search pipeline
search field1=xxxx | map search="search field2=yyyy field3=$file2$"
When I run it I only get as output the results from "search field2=yyyy field3=$file2$" for each result in the main search. Is it somehow possible to get in the output the events resulting from "search field1=xxxx" too without having to append them like this?
search field1=xxxx | map search="search field2=yyyy field3=$file2$" | append [ search field1=xxxx ]
I see... the most intuitive way would be to either use join
:
search for requests | do some extracting to get a field called MessageID | join MessageID [search for responses | do some extracting to get a field called MessageID]
or to use transaction
:
search for requests OR responses | do some extracting on each to get a field called MessageID in both types of events | transaction MessageID
Depending on your reporting after that, you may also be able to use stats
instead of transaction
like this:
search for requests OR responses | do some extracting on each to get a field called MessageID in both types of events | stats some(reporting) as stuff by MessageID
Use join option "type=left" to get unmatched requests.
You are getting fields from both sources. Don't use the event viewer tab to judge whether a join was successful, rather append a table field1 field2 ...
and see if you're getting fields from both sources.
The raw text of an event is just another field (_raw
), so its behaviour after a join may not be as intuitively expected.
I had already tried the join exactly they way you mentioned in the answer and using it I am only getting the events on the left size (request) when there is a match and not both, as I would have expect from the description of the command.
My use case is the following one: I have to find a request and its matching response. Both the request and the response are xml messages. The response has an element called "MessageID" that contains a value that matches the value of another element called "RelatesTo" in the response. In the main search I look for the particular request I am looking for and extract the MessageID value using the rex command. I then using that $messageId$ in the map search to find the response. The problem is that using that I only get the response in the output and not the request.
What's your use case?