I want to combine some search results. I have one base search from there I need to do several searches, but at the end I need a single search result.
my base search | search code="1" ..do something my base search | search code="2" ..do the same my base search | search code="3" ..do also the same
There is always the same thing to do, but I need to separate the searches for calculating the time between events with the same code. Is it possible to do this in a single search, because there are 250 different codes. Something like:
my base search | for every value of code do this At the end I need a table with all codes in it.
You really don't provide any details on what you're trying to achieve so it's hard to give really useful advice, but you could look into the
map command which does something similar to what you're describing.
That said, it's highly likely you could find an even better solution that doesn't involve looping searches like this. If you described your exact problem, your data, your searches more chances are we can help you out with finding alternate solutions.
In my base search I calculate the code and group events which occur within some milliseconds. They will get the same ID. The next step is to look after events that have the same code and got wrong IDs in the first step, because they occur within some seconds, they should also get the same ID. I implement such a search for one code in that way:
first step, my base search:
host=Host_MA SEVERITY != FATAL | eval Zusatz=case(match(_raw,"VOLTAGE"),"VOLT", match(_raw,"TEMPERATURE"),"TEMP", match(_raw,"CURRENT"),"CURR", match(_raw,"power module fault"),"POMF") | eval Zusatz=if(Zusatz!="",Zusatz,"NULL") | eval Code=MSG_ID + ";" + Subcomponent + ";" + SEVERITY + ";" + Zusatz| delta _time p=1 AS diff | eval diff=round(-diff,3) | streamstats current=f window=1 first(Code) as prevcode | eval ID=case(isnull(diff),1,diff>0.003,1,1=1,0) | accum ID |
second step, several search with one code:
search Code="KERN_2205;bg_subcomp_linux;WARN;NULL" | delta _time p=1 AS diff2 | eval diff2=round(-diff2,3) | eval ID2=case(isnull(diff2),1,diff2>1.0,1,1=1,0) | accum ID2 | eventstats first(ID) as temp_id1 by ID2 | fields - ID, ID2, diff2| rename temp_id1 as ID
After that search I only get events with Code="KERN2205;bgsubcomp_linux;WARN;NULL" but I look for a way to add the results of the next search with code="..." but there are over 250 different codes, perhaps there is an easier way?
that is what I have to do with every code: search Code="KERN2205;bgsubcomplinux;WARN;NULL" | delta _time p=1 AS diff2 | eval diff2=round(-diff2,3) | eval ID2=case(isnull(diff2),1,diff2>1.0,1,1=1,0) | accum ID2 | eventstats first(ID) as tempid1 by ID2 | fields - ID, ID2, diff2| rename temp_id1 as ID
I'm not quite sure what your overall goal is, but here's how you can replace commands you've used in your comment to work for all codes in one go.
... | delta _time p=1 AS diff2 | ...
You search for one code because
delta doesn't have a group-by option... however, you can just use
... | streamstats window=1 current=f global=f last(_time) as previous by Code | eval diff2 = previous - _time | ...
That'll copy over the neighbouring timestamp for each value of Code, effectively computing a
diff _time by Code.
... | accum ID2 | ...
Same thing here, use
streamstats with a grouping field:
... | streamstats sum(ID2) as sum_ID2 by Code | ...
... | eventstats first(ID) as temp_id1 by ID2 | ...
This is easiest, just add
Code to the grouping:
... | eventstats first(ID) as temp_id1 by ID2 Code | ...
Disclaimer: I'm just going by the search you posted, not the use case behind it. Some transformations may not work in 100% of all imaginable cases, so do test what I posted thoroughly.
Finally, if you need on-site German-speaking help... 😄
You can, and did... about six times 😛
I won't be available for the next few weeks, you can talk to the sales people listed on my website though.