from my saved search i'm trying to get the values of a field like below
<search>
<query>| savedsearch mysearch field3 = $value$ </query>
</search>
but its not working
my report query is
index = internal |stats count by field1 field2 field3 field4
The savedsearch
command's tokens
are for input
, not output
so you can do this:
|savedsearch mysearch field3="$value$" ...
But this will send
the value of $value$
in to be used for field3
if mysearch
was written with field3
as a token
.
You'll need to search after fetching your search results like this:
<search>
<query>| savedsearch mysearch | search field3 = $value$</query>
</search>
The | savedsearch
command does not support filtering the results.
Also, you might want to consider using loadjob if your search is scheduled.
The savedsearch
command's tokens
are for input
, not output
so you can do this:
|savedsearch mysearch field3="$value$" ...
But this will send
the value of $value$
in to be used for field3
if mysearch
was written with field3
as a token
.
Thank you for clarifying, It made me think in different way.
If $value$ if a field name then,
index = internal | stats count by field1 field2 $field3$ field4
If you are filtering field3 with value $value$, then,
index = internal field3=$field3$ | stats count by field1 field2 field3 field4
my report query is
index = internal field1= (asterisk) field2=(asterisk) field3=(asterisk) field4=(asterisk) |stats count by field1 field2 field3 field4
i kept (asterisk) because not able to put asterisk symbol.
then your report query should be:
index = internal field1= * field2=* field3=$field3$ field4=* |stats count by field1 field2 field3 field4
OR
index = internal field1= * field2=* field3=* field4=* |stats count(eval(field3=$field3$)) as count by field1 field2 field3 field4
You say "it's not working", but don't say what results you get or what results you expect. Please elaborate.
like the stats with fields (field1 field2 field3 field4) are there, and i want to search the stats for specific value based on a field3. but getting all the values , not specific one.