So I have a problem and I can't seem to crack it.
index=index1 host=server* EventCode=1234 |localize maxpause=1m| map search="search index=index2 host=server* errortext starttimeu=$starttime$ endtimeu=$endtime$" | stats count(host) by host
I'm trying to correlate the eventcode 1234 in index1 with errors that show up in index2
I need help capturing the "host names" which are the same in both indexes so I can correlate exactly. The problem is that index2 throws this particular error text, but it's generally not a problem unless it occurs around eventcode 1234
I tried a join:
index=index 1 host=server* EventCode=1234| stats values(host) by _time | join host [search index=index2 host=server* errortext
this doesn't work out because it doesn't have any sort of time context of the eventcode vs the error
I tried this as well, but was unable to get it to work:
index=index2 host=server* errortext [search index=ssapevent host=server* EventCode=1234| rename _time AS earliest | eval earliest=latest + 60| fields earliest, latest]
... View more