I'm looking to perform an addterm on a saved search that has a subsearch. I need the value from the addterm passed into both locations. Is there a way to do this with the "flags" option?
index=ems sourcetype="perfmon:perfmon:sqls*" counter="Lazy writes/sec" earliest=@d ADDTERMHERE | timechart partial=f span=30m avg(Value) as LazyWrites | eval marker = "Today" | eval _time = _time+1800 | append [search index=ems sourcetype=perfmon:perfmon:sqls* counter="Laxy writes/sec" earliest=-7d@d-30m latest=-6d@d-30m ANDADDTERMHERE | timechart span=30m avg(Value) as LazyWrites | eval marker = "Same Day Last Week" | eval _time = _time+86400*7+1800 ] | timechart span=30m values(LazyWrites) as "Lazy Writes" by marker
My intention looks like so:
<module name="ConvertToIntention">
<param name="settingToConvert">host_setting</param>
<param name="intention">
<param name="name">addterm</param>
<param name="arg">
<param name="host">$target$</param>
</param>
<param name="flags"><list>indexed</list></param>
</param>
Thanks!
... View more
