I'm having problems with getting a dbquery command to filter the results of a search.
When I run this search :
| dbquery PUMA_T3_ADHOC_REPORTING "select distinct AlertKey from (select AlertKey, update_time from alarm_collector order by update_time asc) where rownum = 1"
| eval PointCode = ALERTKEY
| table PointCode
I get a single result, a field called PointCode with a value of RTOX9891.
When I run this search :
index=ams sourcetype=ams TitleCode=GS TitleIndex=0120 EventType=TSAM*
[search dbquery PUMA_T3_ADHOC_REPORTING "select distinct AlertKey from (select AlertKey, update_time from alarm_collector order by update_time asc) where rownum = 1"
| eval PointCode = ALERTKEY
| table PointCode]
I get no resuts, even though when I run this search :
index=ams sourcetype=ams TitleCode=GS TitleIndex=0120 EventType=TSAM* PointCode=RTOX9891
I get two results.
Should not the second search produce the same results as the third search? The subsearch should filter the outer result set to those having a value for PointCode of RTOX9891.
Any idea why the second search doesn't produce results?
... View more