- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search and subsearch that is working as required but there is a field in the subsearch that I want to display in the final table output but is not a field to be searched on.
index=aruba sourcetype="aruba:stm" "*Denylist add*" OR "*Denylist del*"
| eval stuff=split(message," ")
| eval mac=mvindex(stuff,4)
| eval mac=substr(mac,1,17)
| eval denyListAction=mvindex(stuff,3)
| eval denyListAction= replace (denyListAction,":","")
| eval reason=mvindex(stuff,5,6) | search mac="*:*"
[ search index=main host=thestor Username="*adgunn*"
| dedup Client_Mac
| eval Client_Mac = "*" . replace(Client_Mac,"-",":") . "*"
| rename Client_Mac AS mac
| fields mac ]
| dedup mac,denyListAction,reason
| table _time,mac,denyListAction,reasonWhat I want is for the value held in field Username to be included in the table command of the outer search. How do I pass it from the subsearch to be used in the table command and not used as part of the search?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The most common way to handle this is to use append instead. The following example uses eventstats.
index=aruba sourcetype="aruba:stm" "*Denylist add*" OR "*Denylist del*"
| eval stuff=split(message," ")
| eval mac=mvindex(stuff,4)
| eval mac=substr(mac,1,17)
| eval denyListAction=mvindex(stuff,3)
| eval denyListAction= replace (denyListAction,":","")
| eval reason=mvindex(stuff,5,6)
| dedup mac,denyListAction,reason
| append
[ search index=main host=thestor Username="*adgunn*"
| dedup Client_Mac
| eval Client_Mac = "*" . replace(Client_Mac,"-",":") . "*"
| rename Client_Mac AS mac
| fields mac Username ]
| eventstats values(UserName) as UserName by mac
| where isnotnull(UserName)
| table _time,mac,denyListAction,reason,UserName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @bowesmana . I had a fleeing it was not going to be as easy as I had hoped.
I'm rethinking my approach to see if I can find a way to achieve what I need.
Thanks again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The most common way to handle this is to use append instead. The following example uses eventstats.
index=aruba sourcetype="aruba:stm" "*Denylist add*" OR "*Denylist del*"
| eval stuff=split(message," ")
| eval mac=mvindex(stuff,4)
| eval mac=substr(mac,1,17)
| eval denyListAction=mvindex(stuff,3)
| eval denyListAction= replace (denyListAction,":","")
| eval reason=mvindex(stuff,5,6)
| dedup mac,denyListAction,reason
| append
[ search index=main host=thestor Username="*adgunn*"
| dedup Client_Mac
| eval Client_Mac = "*" . replace(Client_Mac,"-",":") . "*"
| rename Client_Mac AS mac
| fields mac Username ]
| eventstats values(UserName) as UserName by mac
| where isnotnull(UserName)
| table _time,mac,denyListAction,reason,UserName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would either have to include that subsearch part as an OR in the outer search and munge the data so you could join the data sets with stats somehow, or create a lookup through a saved search on a regular basis (if it changes) and use the lookup to filter rather than the subsearch, then you'd have anything you need
