I have a somewhat complex query that I am trying to execute. Essentially what I would like to do is use a saved search as a "variable" of sorts for another search.
The saved search would be something along the lines of:
host=*blah "etc" | stats count(host)
From there, I would think I could use the result of that saved search as a variable for another search, where math is being performed. So, what I envision the other to be:
search "etc2" | stats count(host) as hostCount| eval diff = savedSearch / hostCount
I've search around to see if this is possible, but I didn't find an conclusive results.
... View more