Here is what I do to get required search results using two separate searches:
SEARCH#1
I use the following query
index=hardware_inventory vendor=hp AND env=prod |dedup ServerName|table ServerName
In order to generate statistical table containing single column list of names of the servers:
servername1
servername2
servername3
SEARCH#2
I use the following query to generate search results using the names I obtained earlier in SEARCH#1
index=software_inventory servername1 OR servername2 OR servername3
It is an easy task if you have 3 servers, but it is not if you have 500
QUESTION:
How do I combine these two searches into one so I don't have to put server names manually into second search?
Thank you so much for your help!
Assuming the software inventory index contains field extractions for the server names and the field is called servername...
index=software_inventory [search index=hardware_inventory vendor=hp AND env=prod |dedup ServerName|table ServerName] | search servername=ServerName
Or maybe it's just as easy as this:
index=software_inventory [search index=hardware_inventory vendor=hp AND env=prod |dedup ServerName|table ServerName]
I'm not very awesome at subsearches...
Assuming the software inventory index contains field extractions for the server names and the field is called servername...
index=software_inventory [search index=hardware_inventory vendor=hp AND env=prod |dedup ServerName|table ServerName] | search servername=ServerName
Or maybe it's just as easy as this:
index=software_inventory [search index=hardware_inventory vendor=hp AND env=prod |dedup ServerName|table ServerName]
I'm not very awesome at subsearches...
ServerName field does not exist in software_inventory index.
However, values (servername1, servername2, servername3..) do exist in software_inventory index.
Basically what I am doing is extracting list of server names from hardware_inventory index and then use this list of names to extract all data, associated with these names from software_inventory index.
That's why i mentioned the assumption, and it certainly changes the answer 😉
index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | rename ServerName as search ]
Or use return command instead of rename:
index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | return $ServerName ]
Thanks so much for trying to help me !!!
I did try both of the queries but still getting incorrect results : it shows only the very first name (value) from the generated list from hardware_inventory. Somehow it is only passing one, not multiple values to the software_inventory.
Somehow I need to pass OR after each value name in order to get the right results
If I can make query :
index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | rename ServerName as search ]
to return events for more than one value I think that would do it !
index=software_inventory [ search index=hardware_inventory vendor=hp env=prod | dedup ServerName | table ServerName | return 500000 $ServerName]
Thanks so much for your great help!!!
Problem solved? If so can you mark as answer?
Yes ! Thank you so much!
I did mark the answer!
Hii, Which query helped you ??
index=software_inventory [ search index=hardware_inventory vendor=hp env=prod ServerName=* | dedup ServerName | fields ServerName | format]
Thanks so much for your response!
I tried both methods but it doesn't work the same way as it does when manually putting "ServerName" values into the search.
Field ServerName does exist. In my example "servername1..2" in lower case is actual value of the ServerName filed.
Does the ServerName field exist in the software_inventory index?
Converted to an Answer, because it is one. 🙂