I can't return _raw data from subsearch as below , but i can find this raw data if i use it in separate main search .
I'm able to get _raw data when this join was not working properly if i remove ESBDPUUID from main search.
index=esb_dev earliest=-14d@d latest=@d sourcetype="datapower_audit" status="FAILURE" OR STATUS="ERROR" |stats values(ESBDPUUID),values(status),count by ESBDPUUID,host,svc_bp_name _time | join type=left ESBDPUUID[search index=esb_dev sourcetype="datapower_Error" |table _raw ]
this is not displaying the result but when i remove table _raw then i can see the result well.
Have you tried renaming your _raw in the subsearch and return it with the ESBDPUUID to the main search:
index=esb_dev earliest=-14d@d latest=@d sourcetype="datapower_audit" status="FAILURE" OR STATUS="ERROR" |stats values(ESBDPUUID),values(status),count by ESBDPUUID,host,svc_bp_name _time | join type=left ESBDPUUID [search index=esb_dev sourcetype="datapower_Error" | eval sub_raw = _raw | table ESBDPUUID, sub_raw ]
Have you tried renaming your _raw in the subsearch and return it with the ESBDPUUID to the main search:
index=esb_dev earliest=-14d@d latest=@d sourcetype="datapower_audit" status="FAILURE" OR STATUS="ERROR" |stats values(ESBDPUUID),values(status),count by ESBDPUUID,host,svc_bp_name _time | join type=left ESBDPUUID [search index=esb_dev sourcetype="datapower_Error" | eval sub_raw = _raw | table ESBDPUUID, sub_raw ]
thanks peter its working..Really thanks a lot.
If you use a join
there needs to be a field with the same name in the subsearch (in your case, ESBDPUUID
). By adding table _raw
to the subsearch, you eliminate all of the fields except for _raw
, which means that there is no ESBDPUUID
field to join on anymore. That's why your search fails when it's there, and succeeds when it's not.
What happens if you add table ESBDPUUID _raw
in the subsearch instead? Does that get you what you want?
HI buddy, thanks for for your suggestion buddy but its not working even i have put this also | ESBDPUUID _raw.It only shows result when i remove these table and put only query then it combines with each field and shows result.\
It even not creating field with blank values when i put ESBDPUUID but creates a feild if i put something random like ESB or any other feild.