Subsearch return multiple fields

antb · ‎03-27-2020

Hi and thank you in advance. I've simplified the problem for brevity sake.

I'm trying to return multiple fields by way of using a subsearch. Looking for a recent match in index2 where there was an older event occurring in index1.

An example would be detecting an attack with previous reconnaissance.

index=index1 earliest=-5h@h latest=-1h@h dst=* [search index=index2 earliest=-15m latest=now() dest=* | head 1 | eval index2_time=_time | return dst=dest ]

This works, for finding a match. However, I want to pass up the _time of the more recent event in index2 (index2_time) and that doesn't appear to populate.

manjunathmeti · ‎03-27-2020

If index2_time field is part of index1 then check with format. If not, replace field name index2_time with timestamp field in index1 which contains _time values.

index=index1 earliest=-5h@h latest=-1h@h dst=* [ search index=index2 earliest=-15m latest=now() dest=* | head 1 | eval index2_time=_time | fields dest, index2_time | format ]

antb · ‎04-07-2020

Hi @manjunathmeti, I reviewed this response (and waited to see if there were others) but not sure I understand. index2_time is just the example I'm using where I bubble up the _time - I could have chose any field. The assignment to index2_time isn't being populated as I can only return a single field.

Subsearch return multiple fields

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update