Solved: How would I use multiple values from a subsearch a...

mdwasimkhan · ‎07-24-2017

Hi All,

I am looking for a query which will accept multiple value subsearch output as a input of main serach, See below :

index=myIndex UniqueReqId in [ search index=myIndex MyLogger | dedup UniqueReqId | stats count(UniqueReqId) as "Total user" by UniqueReqId ]

This sub search "search index=myIndex MyLogger | dedup UniqueReqId | stats count(UniqueReqId) as "Total user" by UniqueReqId" will return multiple value like below :

UniqueReqId Total user
002cc2c7-b1e4-49de-bbd3-caa6c2e741e3 1
00426627-98cf-4dd5-97b6-af4cde045286 1
00567c49-5638-4a0c-a803-04d0b3662aac 1
006ef351-33b8-40ed-b320-28473ea1f481 1
00caf75c-deed-4581-ab5a-04929b1a943d 1
00ff69ef-d57c-43ad-9b64-38cf39b94f6f 1
01395957-648b-4e9a-ac76-7fa68f833fce 1
01e82329-3d58-4d11-bdca-88100a2dc85c 1
02084578-869a-4ce5-bc20-b86c3fea34d2 1
021272cb-c043-483f-8512-244210471c63 1
02191c34-b485-4a6d-9d77-53f0a8e7875c 1
0228ff59-27f8-47e1-a38f-88acdb94fb22 1
028177b6-f2f3-4c53-948e-558d51287d43 1
02be90c8-5737-4f89-a204-2a3ea5f79047 1
02df9ecb-29bf-4aad-b479-26fde9b6ca94 1
02e2ef7f-ea55-4311-b724-c06fe5ab416d 1
02e7bacd-4579-44c6-b4c2-be0a4fbf4566 1
02eb4faa-39c1-431d-9590-a1fabc7eecd8 1
031229db-d4ef-4783-b649-9a1e738d495a 1
03216368-6d8e-42e9-8fb1-e2ace7794f4c 1

Now whatever the value we are getting in column UniqueReqId, we need to use each value one by one to the main query in UniqueReqId=EachValue.

Like Sample example :

index=myIndex UniqueReqId IN [002cc2c7-b1e4-49de-bbd3-caa6c2e741e3,00426627-98cf-4dd5-97b6-af4cde045286,00426627-98cf-4dd5-97b6-af4cde0452dsd,etc]

I searched a lot but did not get the solution for my requirement however got the solution for single value subsearch output as input for main search.

Thanks,
Wasim

woodcock · ‎07-24-2017

Like this:

index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]

View solution in original post

woodcock · ‎07-24-2017

Like this:

index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]

mdwasimkhan · ‎07-25-2017

Yes, This is what i was looking for.

Thanks

gcusello · ‎07-24-2017

Hi mdwasimkhan,
If I correctly understood, try something like this

index=myIndex MyLogger [ search index=myIndex UniqueReqId | eval UniqueReqId=upper(UniqueReqId) | dedup UniqueReqId | fields UniqueReqId ]
| stats count as "Total user" by UniqueReqId

In this way you have the event count for each user.
beware that UniqueReqId field must have the same name in both the searches.

Bye.
Giuseppe

mdwasimkhan · ‎07-25-2017

I downvoted this post because below is the expected query :

index=myindex [ search index=myindex mylogger | dedup uniquereqid | fields uniquereqid ]

thanks

mdwasimkhan · ‎07-25-2017

Actually I have 2 below logger, In that common field is UniqueReqId only.

LOGGER([UniqueReqId]+[MyLogger])
LOGGER([UniqueReqId]+[userName]+[Action])

So my requirement is i need to find out the UniqueReqId which contains MyLogger.[ This i want to search in sub-search block.]

once i will get the
all possible UniqueReqId in sub-search then We need to find out the userName who is using action=myAction and UniqueReqId=[Multiple UniqueReqId from subsearch].
So fetch the userName from all possible UniqueReqId got from subsearch where action=myAction.

We have multiple actions, so action=MyAction and UniqueReqId=(02191c34-b485,0228ff59,02be90c8,02e2ef7f etc)

MyLogger is not require here, because it does not apear in other logger.

Below command is working fine for me. Thanks Giuseppe 🙂

index=myIndex [ search index=myIndex MyLogger | dedup UniqueReqId | fields UniqueReqId ]

How would I use multiple values from a subsearch as input to the main search?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation