Re: pass variable and value to subsearch

Qingguo · ‎09-28-2021

Hi All

I have a question and need to do the following:

Search contidtion_1 from (index_1 ) and then get the value of field_1 and the value of field_2.

then search the value of field_1 from (index_2 ) and get value of field_3.

I want to have a difference calculation between value of field_2 and value of field_3.

It it possible to achieve this using a single query?

Qingguo · ‎10-05-2021

Thanks for your reply ,

here are more detailed requirement, I've got some logs I need to join and put on the same row and difference values .

Index1 events: (base query: index=index1 playbook=100)

"Playbook":"100","update_time":"2021-09-27T10:51:16.572759Z","container":"1497"
"Playbook":"100","update_time":"2021-09-27T10:52:16.572759Z","container":"1498"
"Playbook":"100","update_time":"2021-09-27T10:53:16.572759Z","container":"1499"
........

Index2 events (base query: index=index2 😞
"container":"1497","start_time":"2021-09-26T8:53:16.232759Z"
"container":"1498","start_time":"2021-09-25T8:53:16.232759Z"
.....

Desired output:

container start_time update_time time_diff(update_time-start_time)
1497 2021-09-26T8:53:16.232759Z 2021-09-27T10:51:16.572759Z xxx
1498 2021-09-25T8:53:16.232759Z 2021-09-27T10:52:16.572759Z xxxx
1499 ....

Appreciated for any comments.

Qingguo · ‎10-05-2021

Sorry just one correction, field name of container in index1 is "container" and is renamed as "id" in index2 event log.

Index2 events (base query: index=index2 ...)
"id":"1497","start_time":"2021-09-26T8:53:16.232759Z"
"id":"1498","start_time":"2021-09-25T8:53:16.232759Z"

somesoni2 · ‎10-05-2021

Try this:

(index=index1 playbook=100) OR (index=index2 ...)
| fields id container update_time start_time
| eval container=coalesce(id, container)
| stats values(start_time) as start_time values(update_time) as update_time by container
| eval time_diff=strptime(update_time,"%Y-%m-%dT%H:%M:%S.%6N%Z")-strptime(start_time,"%Y-%m-%dT%H:%M:%S.%6N%Z")

Qingguo · ‎10-06-2021

Just one clarification, "id" was being used in index1 for other meaning.

Testing your query , I cant get values of start_time in index2

Qingguo · ‎10-06-2021

Thanks @somesoni2.

Can we have a quick webex and discussion on this ? I am on this webex in another 1 hour from now.

Join Mywebex

somesoni2 · ‎10-05-2021

Try this

(index=index1 playbook=100) OR (index=index2 ...)
| fields container update_time start_time
| stats values(start_time) as start_time values(update_time) as update_time by container
| eval time_diff=strptime(update_time,"%Y-%m-%dT%H:%M:%S.%6N%Z")-strptime(start_time,"%Y-%m-%dT%H:%M:%S.%6N%Z")

somesoni2 · ‎09-28-2021

Try something like this

(index=index_1 sourcetype=sourcetypeHere contidtion_1 ) OR (index=index_2 sourcetype=sourcetypeHere contidtion_2 )

| fields field_1 field_2 field_3

| stats values(field_2) as field_2 values(field_3) as field_3 by field_1

| eval diff=field_2-field_3

PickleRick · ‎09-28-2021

This question is way too generic. It depends. Often you can avoid subsearch alltogether with clever data manipulation. But sometimes you can't and you need simple subsearch or even | map

Hard to say without knowing more details.

ITWhisperer · ‎09-28-2021

Do you mean a join between index1 and index2 using field1?

search index_1 ...
| join field_1 [search index_2 ...]

pass variable and value to subsearch

subsearch

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor