In general terms, I've been trying to create a search that can perform a subsearch using a few fields that are present in one collection of related events in order to find a unique uuid field, that I then use to perform another search in order to retrieve all events with that uuid, which would include the events found by the prior subsearch, but also other events that do not have the fields used in the original subsearch, but do have this unique uuid (they're sourced from a different application but the uuid is passed through)

The issue I'm having is that the uuid is a relatively new addition, and I'd like to be able to default to essentially the original subsearch (without then filtering on the uuid field) and so at least be able to display some of the events should the user wish to view the logs of a task where they've not used the latest version of the application which contains the uuid update.

My current implementation will return no events at all in targeting old versions of the task as the first subsearch returns the value of the uuid field which in those older events would be null/empty , and I can't seem to find a way to do some kind of conditional where if that subsearch returns null/empty then just re-run the subsearch but don't return the uuid, instead return whatever that subsearch comes back with (or just the result of another search that could be a copy of the original subsearch minus the filtering)

Example:

• I have a task, that logs out two shapes of events due to there being two source applications as part of the task
• First set of events related to a particular task have  message shapes that can be of the form:
  • old: { "name":  "some_name", "count": "3" }
  • new: { "name":  "some_name", "count": "3" ,  "uuid": "some-uuid-that-is-current-task-invocation-specific" }
• Second set of events related to that same particular task have  message shapes that can be of the form:
  • old: { "some_detail":  "some_value", "another_detail": "another_value" }
  • new: { "some_detail":  "some_value", "another_detail": "another_value" , "uuid": "some-uuid-that-is-current-task-invocation-specific" }
• My first subsearch uses the name and  count field, using specific values selected via an input dropdown in a dashboard, to find the first set of events that are related to this particular run of the task. It then returns the uuid field directly to the main search which then retrieves all events with that uuid (common to both sets  of events, and unique per task invocation)
• However if we're looking at an old version of the task, it finds nothing as there's no uuid field present
• I'd like to be able to somehow check the result of that sub-search
  • if not null then pass it to the main search as usual and retrieve all the related events.
  • if null, then return the results of another search instead (or the original subsearch, but without trying to filter on a uuid)

I've tried using things like where, appendPipe, if, isNotNull etc but with no success so far, though that may be more to do with my lack of understanding than with them not being the rights tool for the job!

Many thanks for any help you can give!