I have an first search that will find the software list
search index=index1 | table software
in the second search, i need use the result of first search to find the match result with "where" command.
Try like this
index=index2 [search index=index1 | table fields1 | eval fields2="*".fields1."*" | table fields 2] | table fields2
Try like this
index=index2 [search index=index1 | table fields1 | eval fields2="*".fields1."*" | table fields 2] | table fields2
i have tow fields in the each index the first one fildes1 for index1 and second fields2 for index2
index=index2 [search index=index1|fields1] | where fields2 like "%fields1%" | table fields2
You question is not very specific, so there are many answers depending on the context. Suppose you second search is "index=index2" and there is a field called software, then you could use a subsearch as follows:
index=index2 [search index=index1|fields software]
If the field in the second search is package instead of software, then you can do this:
index=index2 [search index=index1|rename software as package|fields package]
i have tow fields in the each index the first one fildes1 for index1 and second fields2 for index2
index=index2 [search index=index1|fields1] | where fields2 like "%fields1%" | table fields2
I think you mistake the where command with the SQL where. They are two different things. To achieve what you are looking for with a subsearch, you can do the following:
index=index2 [search index=index1|eval fields2="*"+field1+"*"|fields field2]
Depending on what you are trying to achieve this can be made more efficient, but the "*" in search is similar to SQL '%'
A subsearch...
Usually/often used like
index=index2 [search index=index1 | table software]
If your subsearch returns "Office" and "Windows" then the entire search after running it becomes index=index2 AND (software=Office OR software=Windows)
.
If you specifically need to use where, it should still work the same.
index=index2 ... | where search [index=index1 | table software]
But, there are comparison cases where it gets just a tiny bit trickier. If you could provide the search you are actually using, it might be easier to get a really specific answer.
i have tow fields in the each index the first one fildes1 for index1 and second fields2 for index2
index=index2 [search index=index1|fields1] | where fields2 like "%fields1%" | table fields2