I am trying to pass the numeric result of a subsearch to the head command with no success, can anyone see what I am doing wrong?
The following query returns a count of 3
index=starx error | fieldformat count=count/2 | stats count
I want to use that query as a subsearch result for the head command like this
index=starx error | head [ search index=starx error | fieldformat count=count/2 | stats count ]
But get no result found
if you want to pass a value to the
head command you must return only a value form the subsearch, but you're currently returning
count=somenumber. Do get back only a value from the subsearch run this run everywhere search
index=_internal error | head [ search index=_internal error | stats count | rename count AS search ]
This will rename the
count field to a
search field, which will just come back as a value. This way
head can use it.
Hope this helps ...
With your query both the base search and the subsearch returns the same count, hence the head value returned is not divided by 2.
Finally got it!
index=starx error | head [ search index=starx error | stats count | eval total=round(count/2) | rename total AS search ]
If you want to avoid using a subsearch altogether you could do something like this:
index=starx error | streamstats count as total_results | eventstats p50(count) as average | eval keep=count-average | search keep>0
This avoids any limitations in the subsearch if your index is very large, and saves you from running the index=starx search twice.