I have a dashboard where I want to report whether each value of the results of a query matches a value in a fixed list.
I have a base search that produces the fixed list:
<search id="expectedResults">
<query>
| makeresults
| eval expectedResults="My Item 1", "My Item 2", "My Item 3"
| makemv delim="," expectedResults
| mvexpand expectedResults
| table expectedResults
</query>
<done>
<set token="expectedResults">$result.expectedResults$</set>
</done>
</search>
Then I have multiple panels that will get results from different sources, pseudo-coded here:
index="my_index_1" query
| table actualResults
| stats values(actualResults) as actualResults
Assume that the query returns "My Item 1" and "My Item 2".
I am not sure how to compare the values returned from my query against the base list, to give something that reports whether it matches each value.
My Item 1 | True |
My Item 2 | True |
My Item 3 | False |
You possibly need to expand on your usecase. Does your "base search" return your expected results on a particular order and do they have a key field which can be correlated with against your actual results? Also, you should bear in mind that stats values() returns a multivalue field in dedup and sorted order, which may not necessarily be in the same order as your base search.
The base search is a hard-coded list of known values using makeresults, so I could certainly add a key (and it could match the field name being returned in the query).
| makeresults
| eval expectedResults=actualResults="My Item 1", actualResults="My Item 2", actualResults="My Item 3"
| makemv delim="," expectedResults
| mvexpand expectedResults
| table expectedResults
I'm not concerned about a sort order, except maybe when I do a final presentation of the data. It's more about determining which values are returned in the query matching (or not matching) the values in the base list.
Your makeresults isn't valid SPL so it is still a little unclear what you are working with.
Having said that, if you make results has two fields, a key field and an expected results field, you could append your makeresults to your actual results and then use stats to combine the events by their key values and then you can compare whether they are different.
Sorry - learning a few things as I go here.
Basically, I just need to compare the results of a search to a static known list of values.
The search will return a list of values using stats.
stats values(actualResults) as actualResults
I guess I'm not 100% clear on what to do first to create the static list using makeresults, and then to append/use stats to combine - I have attempted to do so without getting the results I expect.
If I were to put it in SQL terms, I'd have a reference table of known values ("My Item 1", "My Item 2", etc.) and a results table of data to search, and I'd do a left outer join:
Ref Table: MY_REF_TABLE
KNOWN_ITEM |
My Item 1 |
My Item 2 |
My Item 3 |
My Item 4 |
Results Table: MY_RESULTS_TABLE
RESULT_ITEM |
My Item 1 |
My Item 3 |
Query:
select KNOWN_ITEM,
case when result_item is null then 'No Match' else 'Match' end HasMatch
from MY_REF_TABLE
left join MY_RESULTS_TABLE
on KNOWN_ITEM= RESULT_ITEM
Results:
KNOWN_ITEM | HASMATCH |
My Item 1 | Match |
My Item 2 | No Match |
My Item 3 | Match |
My Item 4 | No Match |