By default, when we append a subsearch to a search, it looks for events which _raw field value matches one of the value returned by the subsearch.
Is there a way to check that a certain field value (not _raw like above) matches one of the values returned by the subsearch?
I tried the below, by appending host= to my subsearch results, to force searching on the field host, and nothing else, but it didn't work.
mysearch [mysubsearch|fields host|eval host="host=".host]
Try something like this
mysearch [mysubsearch|fields host|eval host="host=".host | return $$host]
OR
mysearch [mysubsearch|fields host|eval search="host=".host | table search]
Updated
mysearch [mysubsearch|table host | format ]
I found a solution... which seems unefficient, but works:
mysearch |join host [mysubsearch|fields host]
Try something like this
mysearch [mysubsearch|fields host|eval host="host=".host | return $$host]
OR
mysearch [mysubsearch|fields host|eval search="host=".host | table search]
Updated
mysearch [mysubsearch|table host | format ]
Either
mysearch [ mysubsearch | return 10000 host ]
or in this particular case:
mysearch [ mysubsearch | fields host ]
are the shortest and simplest. You don't need table
or field
with return
. You don't need format
because it's implicitly done at the end of a subsearch. You use 10,000 to set the max number of values to be considered. (The default is 1, only the first host will be considered.) In your original question, you didn't mention that you might have mutiple values.
I might overlooked the scenario where there will be multiple hosts. You can give the updated answer a try (will be faster than join)
But thanks for help!
None of these solutions work.
No clue what the first one does, plenty of events from wrong hosts are returned in the end.
The second one is very close to my first attempt, but like it, doesn't work. The subsearch produces the output anticipated, but the main one is missing the events from many hosts which should have been included.