- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Query One: One that is exclusive of Server4 in Index1 based of the hosts in Index2. I.e. based on the Index2 hosts, I run a query on Index1 and only show the same hosts, Server1–Server3.
Query Two: This one is exclusive of any hosts that are in Index2 when we run a search in Index1. I.e. based on the Index2 hosts I run a query on Index1 and it only shows the host Server4.
P.S. - This is an enterprise class system and the hostnames columns are a moving target and also the hostnames are different fieldnames
Index1
-Server1
-Server2
-Server3
-Server4
Index2
-Server1
-Server2
-Server3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi princeali,
let me know:
- do you have events in Index1 from server 1-server4 and events in index2 from server 1-server3 ?
- do you want to search events in index1 where server 1-server4 come from another search and to search events in index2 where server 1-server3 come from another different search?
In first case it's easy:
(index=index1 host=server 1 OR host=server2 OR host=server3 OR host=server4) OR (index=index2 host=server 1 OR host=server2 OR host=server3)
In the second case:
(index=index1 [ search another_search1 host=server 1 OR host=server2 OR host=server3 OR host=server4 | dedup host | fields host]) OR (index=index2 [ search another_search2 host=server 1 OR host=server2 OR host=server3 | dedup host | fields host])
You have to use the second one if you want to search in index1 and index2 only the hosts that you find in another search, if you want to search hosts in the same index you don't need a subsearch and you can use the first.
In addition, remember that there's a limit of 50,000 to subsearch results.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @princeali
Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi princeali,
let me know:
- do you have events in Index1 from server 1-server4 and events in index2 from server 1-server3 ?
- do you want to search events in index1 where server 1-server4 come from another search and to search events in index2 where server 1-server3 come from another different search?
In first case it's easy:
(index=index1 host=server 1 OR host=server2 OR host=server3 OR host=server4) OR (index=index2 host=server 1 OR host=server2 OR host=server3)
In the second case:
(index=index1 [ search another_search1 host=server 1 OR host=server2 OR host=server3 OR host=server4 | dedup host | fields host]) OR (index=index2 [ search another_search2 host=server 1 OR host=server2 OR host=server3 | dedup host | fields host])
You have to use the second one if you want to search in index1 and index2 only the hosts that you find in another search, if you want to search hosts in the same index you don't need a subsearch and you can use the first.
In addition, remember that there's a limit of 50,000 to subsearch results.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could you share the two queries?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm seeking assistance with writing the 2 queries
