I have the following sub-search:
index=voice "ani" "8005558508"
| rex field=_raw "{\"ani\",\"(?<ani>\d*)\"}"
| rex field=_raw "{\"vdu_id\",\"(?<vdu>.*?)\"}"
| where ani="8005558508" | fields vdu | table vdu | sort _time | head 1
And I would like to them port the results of vdu
into another search. The issue I'm having is that I only need the value of vdu
and not the key pair. If the above search returns 53ed0055005700000a54907d232e0002
I need to then pass that into a search of this nature:
index=voice "53ed0055005700000a54907d232e0002"
What's the best way to go about this?
I tried using Map and the following, but neither seemed to work.
index=voice [search index=voice "ani" "8005558508"
| rex field=_raw "{\"ani\",\"(?<ani>\d*)\"}"
| rex field=_raw "{\"vdu_id\",\"(?<vdu>.*?)\"}"
| where ani="8005558508" | fields vdu | table vdu | sort _time | head 1]
Try this
index=voice [search index=voice "ani" "8005558508"
| rex field=_raw "{\"ani\",\"(?<ani>\d*)\"}"
| where ani="8005558508"
| rex field=_raw "{\"vdu_id\",\"(?<vdu>.*?)\"}"
| table vdu | sort _time | head 1| eval search=vdu | return search]
Update:
Same method with little performance enhancement
index=voice [search index=voice "{\"ani\",\"8005558508\"}"
| rex field=_raw "{\"vdu_id\",\"(?<vdu>.*?)\"}"
| stats first(vdu) as search | return search]
Alternative with map
index=voice "{\"ani\",\"8005558508\"}"
| rex field=_raw "{\"vdu_id\",\"(?<vdu>.*?)\"}"
| stats first(vdu) as vdu | map maxsearches=1 search="search index=voice \"$vdu$\""
OR (with original search)
index=voice "ani" "8005558508"
| rex field=_raw "{\"ani\",\"(?<ani>\d*)\"}"
| where ani="8005558508"
| rex field=_raw "{\"vdu_id\",\"(?<vdu>.*?)\"}"
| table vdu | sort _time | head 1 | map maxsearches=1 search="search index=voice \"$vdu$\""
Try this
index=voice [search index=voice "ani" "8005558508"
| rex field=_raw "{\"ani\",\"(?<ani>\d*)\"}"
| where ani="8005558508"
| rex field=_raw "{\"vdu_id\",\"(?<vdu>.*?)\"}"
| table vdu | sort _time | head 1| eval search=vdu | return search]
Update:
Same method with little performance enhancement
index=voice [search index=voice "{\"ani\",\"8005558508\"}"
| rex field=_raw "{\"vdu_id\",\"(?<vdu>.*?)\"}"
| stats first(vdu) as search | return search]
Alternative with map
index=voice "{\"ani\",\"8005558508\"}"
| rex field=_raw "{\"vdu_id\",\"(?<vdu>.*?)\"}"
| stats first(vdu) as vdu | map maxsearches=1 search="search index=voice \"$vdu$\""
OR (with original search)
index=voice "ani" "8005558508"
| rex field=_raw "{\"ani\",\"(?<ani>\d*)\"}"
| where ani="8005558508"
| rex field=_raw "{\"vdu_id\",\"(?<vdu>.*?)\"}"
| table vdu | sort _time | head 1 | map maxsearches=1 search="search index=voice \"$vdu$\""
I was missing 'search' keyword there. Try the updated answer now.
For the alternate with map I get the following error: Unable to run query 'index=voice "53eddd6b000000000ac3b89223310002"'.
But if I manually run that query everything runs fine
I think it doesn't have the same timeout. Try the updated answers.
Does Map also have the same timeout as a subsearch? If not, is there a way to do this via the map command?