We have two indexers in place. index=A & index=B. From index=A I have queried out the field which I want the value for.
index=A | search PC="*" | table ReqID index, this will return value to the field ReqID. Lets say ReqID=X.
Now I have to use the value of the above field ReqID=X and search in another index=B. In the index=B the same value carries a field name called RequestersID=X.
I have to create a search query in such way that output from the first index should automatically serve the purpose as input to the second index=B and provide a combine result in the form of table.
| table ReqID RequestersID index
You need to use subsearch like this
index=B [search index=A | search PC="*" | table ReqID | rename reqID as RequestersID ] | table RequesterID index
Since you're looking for events which has same RequesterID as ReqID in index A, both fields in your final table ReqID and RequestersID will be same, so I've not added it. If you need it , just add | eval ReqID =RequesterID
at the end.
Thanks somesoni2 for replying. Can you please anything further on this to obtain the results
I have tried executing this command, I was quite unsuccessful as there no events getting written
index=orsapps [ search index=esbapps | search E2E_busProcID="D1 7SH" | table ReqID | rename ReqID as RequestersID ] | rex "RequestersID>(?[^<]*)" | table RequestersID _time index
But when I type individual queries I am able to see the table -
index=orsapps
| rex "RequestersID>(?[^<]*)"
| table RequestersID _time index
Result -
RequestersID _time index
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610479853358211 2017-03-27 11:28:00 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
0610467479012357 2017-03-27 11:27:48 orsapps
Individual subquery result -
search index=esbapps | search E2E_busProcID="D1 7SH" | table ReqID | rename ReqID as RequestersID
RequestersID _time index
0610479853358211 2017-03-27 11:29:06 esbapps
2017-03-27 11:29:06 esbapps
2017-03-27 11:29:06 esbapps
0610479853358211 2017-03-27 11:29:05 esbapps
0610467479012357 2017-03-27 11:28:55 esbapps
2017-03-27 11:28:54 esbapps
2017-03-27 11:28:54 esbapps
0610467479012357 2017-03-27 11:28:53 esbapps
Output of the first query is to be servered as the input to the first query. Can you please help me in getting all in a same table as in the final result. Final table format -
RequestersID _time index
xxxxx xxxxx esbapps
xxxxx xxxxx orsapps