hi everybody,
i'm try to conserve content field value but i don't understand how i can.
in my search :
index=A OR index=B
initial : field1 is here
<here i'm using filtering with regex and dbquery>
after that i get filtered (field1) = field2
but if i want to reuse the initial value of field1 i should to use join or append [index=A OR index=B field1]
how can i reuse the initial field1 without join or append.
ps : i tryed to use eval newfield=field1 but it don't work the newfield does not remain as it is
i'm thinking about kvstore but if i can use a special commands it will be great
thx
Could you please post the regex you are using ? are you applying the regex on the raw data ? because if thats the case even if you recreate the field it would still get modified.. make sure you apply it on the specific field.
Hi sfatnass
Retry with multisearch command which Run multiple searches at the same time.
See it syntax
| multisearch <subsearch1> <subsearch2> <subsearch3> ...
For you case try to use
|multisearch [search index=A OR index=B |eval field1=field2][search index=A OR index=B |fields field1]............
Tell if it works like you want
chimell the index A can't match with index B
for index A i have a field and i try to get a newfield like
|eval newfieldA=fieldA
the fieldA will be filtered by many dbquery
but i want to reuse newfieldA like it was before filtering.
Can you show me your search code ?
field1 below to which index ?
oh sorry i can't show you my code it's not public values
Ok without problem but see my new answer above
Hello! The only way to use the initial value of field1 it is to use the eval or a subsearch.
And if you use eval, do something like this: |eval newfield=field1
, and not |aval field1=newfield
, because it will change the initial value of field1.
Thanks
i just want to reuse a field as it was before being filtered
i use |eval newfield=field1 but newifield change where is aval ????
I do not know if I've understood very well your problem. field1 is not the field you want to reuse? Because |eval newfield=field1
will not change de value of field1, But the value of newfield will be the value of field1.
but i want to conserve the integral values in my new fields
That is what you have to know. If you want to reuse the initial value of a field in your search query, do not assign to that field a value, before the use of the field. For example:
Let suppose that you have a field named field1, and that, initially field1=10.
Then in your search query, if you do something like this: ...|eval field1=50|eval field2=field1+5|table field1 field2
result:
field1 field2
50 55
As you can see, the initial value of field1 has change, and that is why field2=55.
But if you do like this: ...|eval field2=field1|eval field3=field1+5|table field1 field2 field3
result:
field1 field2 field3
10 10 15
Here the initial value of field1 did not change, and t that is why you have field3=15
Thanks