Hi,
I have a main search that generates counts of events table by date, UID and host something like for example:
| date | UID | host | count |
| 20201014 | abc01 | host1 | 25 |
| 20201015 | abc01 | host2 | 16 |
| 20201016 | xyz01 | host1 | 1 |
Then I generate additional fields from a sub-search by joining on those dates and UIDs. The problem is, I need to dynamically perform the sub-search for earliest=-30d and latest=-3d based on the values of dates in each row from the main search. That is, the sub-search for the second row where dat=20201015 should only extract results from 30 days prior to 2020-10-15 (i.e. earliest=2020-09-15) upto 3days prior to 20201015 (i.e. latest=2020-10-12). Similarly, the sub-search for the third row should only extract results from 30 days prior to 2020-10-16 (i.e. earliest=2020-09-16) up to 3days prior to 2020-10-16 (i.e. latest=20201013).
How do I do that?
So far, I have done:
<main search> | eval date=strftime(_time, "%Y%m%d") ...
| join type=inner date, uid, host
[search index=subsearch_idx
[| gentimes start=-30 end=-3 increment=1d | addinfo | eval earliest=info_min_time | eval latest=info_max_time | return earliest latest] continue_subsearch...]
| continue_main_search
It doesn't seem to work however. How can I populate the dates for the sub-search dynamically based on the values of the date in the main search? Thank you for your time and help.
