Need some advice writing a subsearch...
I have an index=email with two sourcetypes
sourcetype=MTA
sourcetype=MSG
both contain a field with a common value that ties the msg and mta logs together
for example
index=email sourcetype=MTA sm.qid
index=email sourcetype=MSG filter.qid
sm.qid = filter.qid for the same email session
I want to write an efficient search/subsearch that will correlate the two sourcetypes and also display multiple fields from each index.
I am at this point but wondering if I am going the right direction...
[search index=email sourcetype=MSG <some-search-criteria> | fields filter.id | rename filter.id as search] index=email sourcetype=MTA | table <some-fields>
This works partially but the sourcetypes MTA and MSG have different fields that I want to display together in the results...
For example sourcetype=MTA has fields: status,to,from,sm.qid
While sourcetype=MSG has fields:
messageID, subject, to, from, filter.qid
the "to" and "from" fields are slightly different and are formatted slightly different too...
I thought about coalesce but it is acting funny, I need to use ... | eval CommonID = coalesce('sm.qid','filter.qid') <<<< only single quotes work... and I am not sure the best way to use coalesce to grab all the fields from both sourcetype.
Any advice appreciated.
Thanks
... View more