Hi,
I have two searches,..
First search which will run once per day lookback -24h@h , latest=now cron: 5 4 * * * and writes the results to summary index.
my base search
...
...
| collect index=summary source="base generator"
Second search will also run once per day lookback -24h@h and latest=now cron: 5 6 * * *
my base search
|join type=left field1 field 2
[ search index=summary source="*base generator*"..... ]
Now I have the results as expected something line this
Field1 field2 _time
UserA list of names 30/5/2023 9:30
UserA list of names 30/5/2023 9:40
(both field1 and field2 are same as in first row but different time values)
In this case, I need a consolidated event count ... Say for above scenario, my count of events should be 2 based on the field1 and field2 irrespective of the _time field..
I tried, but no luck.. any help would be much appreciated.. thanks in advance!
It is a bit confusing which results are coming from where. For example, are the results at 9:30 and 9:40 both coming from your base search of the second search?
What "additional" data are you expecting to retrieve from the join?
Note that join adds data fields to existing events, it does not add events. If you want to add events (from the summary index) use the append command instead of join.
@ITWhisperer
Both base searches of first and second are same.. The reason to right the results of first one to summary is to get the historical events..
Now for the 2nd one, using the same base search and correlating it with summary using a join, I'm trying to retrieve the list of new events which weren't historical (not those from summary)...
Now I got the results like this...
Field1 field2 _time
UserA list of names 30/5/2023 9:30
UserA list of names 30/5/2023 9:40
(both field1 and field2 are same as in first row but different time values)
So, if there are two same users (from field1) and same list of names (from field2), In this case, I need a consolidated event count ... Say for above scenario, my count of events should be 2 based on the field1 and field2 irrespective of the _time field..
If you are trying to find new events when the job is running 2 hours later, why not just set the timeframe to -2h@h?