I have a search that finds computers that have not checked in for the last couple min. It seems to give the results I need, but I need some more specific information from each host that this command finds.
metadata type=hosts | eval age = now()-lastTime | where age > 300 and age < 86400
| sort age d | convert ctime(lastTime) | eval field_in_ddhhmmss=tostring((age) , "duration")
|rename field_in_ddhhmmss as "Time Offline" | table host,lastTime,"Time Offline
So I would like to then add some columns to my table that are specific to each host that it finds. So the search below would show me the extra data I need. How can I combine these to work together.
sourcetype=_sort=PUT HOST FROM OTHER SEARCH HERE earliest=1
| head 1 | rename hd as "Total Disk GB" memory as "Total Memory" isp as "ISP" state as "State"
host as "Serial Number" os_install_date as "Build Date" model as "Model" city as "City"
|table host,"Total Disk GB","Model","Total Memory","Serial Number","ISP","City","State"
"Build Date"
You could use a join.
metadata type=hosts | eval age = now()-lastTime | where age > 300 and age < 86400 | join host [search sourcetype=_sort | rename hd as "Total Disk GB" memory as "Total Memory" isp as "ISP" state as "State" os_install_date as "Build Date" model as "Model" city as "City"] | sort age d | convert ctime(lastTime) | eval field_in_ddhhmmss=tostring((age) , "duration") |rename field_in_ddhhmmss as "Time Offline" | table host,lastTime,"Time Offline","Total Disk GB","Model","Total Memory","ISP","City","State","Build Date"
You could use a join.
metadata type=hosts | eval age = now()-lastTime | where age > 300 and age < 86400 | join host [search sourcetype=_sort | rename hd as "Total Disk GB" memory as "Total Memory" isp as "ISP" state as "State" os_install_date as "Build Date" model as "Model" city as "City"] | sort age d | convert ctime(lastTime) | eval field_in_ddhhmmss=tostring((age) , "duration") |rename field_in_ddhhmmss as "Time Offline" | table host,lastTime,"Time Offline","Total Disk GB","Model","Total Memory","ISP","City","State","Build Date"
Worked great! Thanks