I have a field called query that's like so:
(index="abc" OR index="def") (host="ghi" OR host="jkl") (sourcetype="mno" sourcetype="pqr") (source="stu" source="vwx") "*yz*"
I am trying to leverage it in a map search:
<search that gets me the above field> | map search="search $query$"
It doesn't seem to work. How do I go about doing it if another way is possible?
Just to clarify, map doesn't have to be the only solution; I simply need a solution to use the query field to perform a search per row (in addition to stats count) to find the number of results returned for each search.
Try something like this
<search that gets me the above field> | map search="search index=$index$ sourcetype=$sourcetype$ source=$source$ host=$host$"
What should $index$ be to work with your solution? There are a variable number of indexes:
map search="search index=$index$"
index="abc" OR index="def"
I can't do
map search="search (index=$indexA$ OR index=$indexB$)"
because $index$ is a multivalue field that's variable in length.
The map command works on each event in the pipeline i.e. the events returned by the search. Each event will have come from an index, a sourcetype, a source and a host. Each event could have different sets or the same values for each. The search in map as I showed should use the values for the event it is processing.
| eval query="search (index=\"abc\" OR index=\"def\") (host=\"ghi\" OR host=\"jkl\") (sourcetype=\"mno\" sourcetype=\"pqr\") (source=\"stu\" source=\"vwx\") \"*yz*\""
| map search="| makeresults | map search="$$$$query$$$$
Should the above work? I'm using it in a dashboard form.