Hi,
I've a question about sub search, I'm probably misunderstanding docs and other posts.
This is my search:
index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)"| rename objectId as search ] stringFilter
The subsearch, executed as a normal search, produce many results, so many objectId.
My expectations is that the final search is like this below:
index=MyIndex (objectId-1 OR objectId-2 OR objectId-3) stringFilter
The behavior is different, only one objectId is used to search and the final search is similar to this:
index=MyIndex (objectId-1) stringFilter
I don't understand why and what I need to change in order to process all objects of subsearch resultset.
Thanks for any kind help
Marcello
Yo mcfly, @trucall, we've got answers for you, did anything work?
You are taking over too much control and doing it all wrong. Start with this:
index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId
See what this produces and then switch to this:
index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format
See what this produces and then switch to this:
index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g"
See what this produces and then switch to this:
index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?[A-Z0-9]+)" | stats count BY objectId | fields - count | format "(" "" "" "" "OR" ")" | rex field=search mode=sed "s/objectId =//g" ] stringFilter
Using format will result in the subsearch returning something like (objectId="123" OR objectId="456")
, which wont work given that objectId apparently is not an extracted field. He wants the subsearch to only return the values, to then work as a string filter.
Ah, based on this clarification, I have modified my original answer above.
I trust you meant | rex field=search mode=sed "s/objectId=//g"
🙂
ARGH! Yes, you are right (I edited and fixed that, too). I was using a run-anywhere search to test but forgot to convert that part when I posted the answer. Thank you for grading my papers.
Probably because your subsearch does not have any transforming commands. I think the following should work:
index=MyIndex [ search index=MyIndex host=as-x | rex " info about (?<objectId>[A-Z0-9]+)"| stats values(objectId) as search | eval search = mvjoin(search," OR ") ] stringFilter
Note: if you make sure objectId is properly extracted (so you don't need rex for it), you can simply do:
index=MyIndex [ search index=MyIndex host=as-x | fields objectId | dedup objectId | format ] stringFilter