I am trying to make this query work:
index="main" | eval host=asset_id | collect index="scanned_app"
asset_id is a field, not a static value.
Two observations regarding the query:
| collect ..., the search shows data as i expect it - with the meta-field
| collect ..., the resulting index carries
host unchanged from the
Q: how do i change the
host, so that it can be persisted in another index ?
index="main" | eval *magic_here* | collect index="scanned_app"
You can try and wrap you search in the map command that dynamically let's you generate another search.
This generates an event in the summary index with host=hello set from the outer search.
| eval assetid="hello"
| map search="
| collect index=scannedapp host=$asset_id$
This will work. Remember that the map command, by default, is limited to only 10 sub-search iterations. Use the option maxsearches=10000 or something more appropriate for your data set.
Converting the above to your actual search, see below. You probably don't need "time=$origtime$," in the eval.
| eval origtime=time, origraw=raw
| map maxsearches=10000 search="|makeresults=1
|eval time=$origtime$, raw=$origraw$
| collect index="scannedapp" sourcetype=X host=$assetid$"
@jbjerkesplunk and @pwildsplunk thank you for comments. could you perhaps help me understand why the SPL
index="main" | eval host=asset_id | collect index="scanned_app" works without
|collect... and does not work with
|collect... ? What is happening during
This may not do what you want. The events in the summary index will contain a host field that is multi-valued, containing the indexed host field as well as the auto-extracted host value. If the purpose of this is to create a dashboard or graph, you may be able to work with the data by removing the first value with something like this.
| eval host=mvindex(host,1)