Best way to write search where we want to pass result from one search to other and we still want to keep results of first search as it is.
<some search>
| map search="| customcommand value=$url$"
| fields url, <fields_from_custom_command>, <fields_from_above_search>
I've above search but as we all know it will not return fields_from_above_search
. My target is to also get fields_from_above_search. One solution that immediately came to my mind is appendpipe
command followed by stats, but unfortunately it is giving error with map command, it works with other search.
<some search>
| appendpipe [| map search="| customcommand value=$url$"]
| fields url, <fields_from_custom_command>, <fields_from_above_search>
Error in 'map' command: Unable to find saved search 'search='.
If possible, optimized solution is even good as customcommand support comma separated urls in value argument
. So here customcommand will run only once which is very good optimization.
@VatsalJagani
You can access the main Search fields by eval
in map search. Can you please try it by taking reference to the below sample search?
| makeresults | eval Field1="ABCD" | map search=" | makeresults | eval count=1, Field1=\"$Field1$\",Field2=\"$Field1$\" "
In case of nested map
you can try below search
| makeresults | eval Field1="ABCD" | map search=" | makeresults | eval count=1, Field1=\"$Field1$\",Field2=\"$Field1$\" | map search=\" | makeresults | eval ABC=10,Field1=\\\"$Field1$\\\",Field2=\\\"$Field1$\\\" \" "
Thanks
@VatsalJagani
You can access the main Search fields by eval
in map search. Can you please try it by taking reference to the below sample search?
| makeresults | eval Field1="ABCD" | map search=" | makeresults | eval count=1, Field1=\"$Field1$\",Field2=\"$Field1$\" "
In case of nested map
you can try below search
| makeresults | eval Field1="ABCD" | map search=" | makeresults | eval count=1, Field1=\"$Field1$\",Field2=\"$Field1$\" | map search=\" | makeresults | eval ABC=10,Field1=\\\"$Field1$\\\",Field2=\\\"$Field1$\\\" \" "
Thanks