Hello,
I'm trying to write a query where I provide a key identifier (say "A"), and the query both finds matching results, but also uses a field from those results as a filter to another query that ...
See more...
Hello,
I'm trying to write a query where I provide a key identifier (say "A"), and the query both finds matching results, but also uses a field from those results as a filter to another query that provides additional data that's needed. Obfuscating some things, this is the idea, and the closest I've gotten:
index=ind1 earliest=-1d field1=abc | append [search index=ind1 earliest=-1d "A" field1=xyz | rename field2 as f2] | where field2=f2 OR field1="xyz"
The idea is that results where field1=xyz and contain "A" have another field, "field2", that is present and has a matching value when field1=xyz or field1=abc. So I want to be able to search based "A" and get back results where field1=xyz or field1=abc where field2 matches between those 2 sets.
I do think a join would probably work here, but I've heard there can be performance issues with that so I was trying to avoid that. It seems to me that I can't use "where field2=f2", and it also seems the parent search is pulling in a lot of data because of the generally broad terms (I suppose because the piped where command is applied after the fact). Any ideas of how to write this performantly?