I have 2 indexes. 1 index has the price with product code
Another index has product code and product name
the subsearch is below:
index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]
it will return the product name , however if i use as subsearch, it will say no result
index=price [search index=product code=1
| lookup code.csv product_code as code OUTPUT product_name as product_name
| dedup product_name| fields product_name ]
Actually, I want to filter name = subsearch result as well
i found out have to add "return product_name" at the subsearch , then work fine. Thanks
Hi kennethyeung,
Only to understand:
if in index2 you have code and product name: why do you use lookup?
Anyway, probably the problem is in the case.
Try to convert in upper o lower case both the searches.
Or you could rebuild your search:
index=price OR index=product
| rename code AS product_code
| stats values(price) AS price values(product_name) AS product_name BY product_code
Bye.
Giuseppe
thanks, becasue the product code is not same on different index, 1 index is 1234 another index product code is short form for the product, (E,g ABC)
that's why i use lookup to map it.
but do you know why my subsearch not work?
Hi kennethyeung,
probably the problem is in the case.
Try to convert code and product_code in upper o lower case in both the searches.
Bye.
Giuseppe
Your subsearch should just get the results from the lookup e.g.
|inputlookup code.csv where product_code=1 | table product_name
Alternatively, you can replace index=product with below to make sure you always have data
index=product earliest=0 latest=now
i tried put "|inputlookup code.csv where product_code=1 | table product_name" as subsearch but not working as well
index=product [ inputlookup code.csv where product_code=1 | table product_name] no result found
It needs to be | before the inputlookup.
Did you also try the earliest and latest setting I suggested in previous comment?