Solved: Where with subsearch

nkankur · ‎04-18-2018

Hi All,

I am trying correlate 2 different search queries using where with subsearch
it goes like this:

host="host1" | table Value1
above search give result : 40

host="host2" | where Value2<40
above search gives a list of events

But when I use above two in one search query like:
host="host2" | where Value2>[host="host1" | table Value1]

it's giving error : Error in 'where' command: Typechecking failed. The '<' operator received different types.

Kindly help!

somesoni2 · ‎04-18-2018

The subsearch is returning field name as well, hence it fails (your where clause becomes | where Value2>Value=40). Try any of below

host="host2" | where Value2>[host="host1" | table Value1 | return $Value1]

OR

host="host2" | where Value2>[host="host1" | table Value1 | rename Value1 as search]

somesoni2 · ‎04-18-2018

The subsearch is returning field name as well, hence it fails (your where clause becomes | where Value2>Value=40). Try any of below

host="host2" | where Value2>[host="host1" | table Value1 | return $Value1]

OR

host="host2" | where Value2>[host="host1" | table Value1 | rename Value1 as search]

nkankur · ‎04-18-2018

Thanks a lot! It worked!

Where with subsearch