Sample Events Looks like :
{"title": "SavedSearch1", "action_email": "0", "action_summary_index": "0", "alert_expires": "2m", "author": "admin", "disabled": "0", "orphan": "0", "dispatch_earliest_time": "-60m@m", "dispatch_latest_time": "now", "eai_acl_app": "search", "eai_acl_owner": "admin", "eai_acl_sharing": "user", "is_scheduled": "0", "search": "| savedsearch “SavedSearch2” | search index=_audit | head 10", "cluster_name": "BIG_DATA"}
{"title": "Savedsearch2", "action_email": "0", "action_summary_index": "0", "alert_expires": "2m", "author": "admin", "disabled": "0", "orphan": "0", "dispatch_earliest_time": "-60m@m", "dispatch_latest_time": "now", "eai_acl_app": "search", "eai_acl_owner": "admin", "eai_acl_sharing": "user", "is_scheduled": "0", "search": "| savedsearch “index=* | head 100", "cluster_name": "BIG_DATA"}
I have to read the saved search list from my internal logs, check the existance and extract a particular field count and value from it . If the saved search is using another saved search inside the main saved search , then i have to again check the existance and extract the same particular field count and value from it, then join both of them and get the final count and values of that particular field.
Eg : Consider Index as one field, i would have mutliple fields to be calculated in the same process.
SavedSearch1
| savedsearch “SavedSearch2” | search index=_audit | head 10
Savedsearch2
index=* | head 100
index=application_core sourcetype=application_log
| eval [ search index= application_core sourcetype= application_log
| eval anotherSavedSearchUseInSearch="SavedSearch2"
| where title=anotherSavedSearchUseInSearch
| rex max_match=0 field=search "index\s{0,}=\s{0,}\"{0,}\${0,}(? *{0,}\w**{0,})"
| eval indexusedinquery = if(isnull(indexusedinquery),"indexNotUsed",indexusedinquery)
| table title indexusedinquery
| fields title indexusedinquery
| eval valuesReturnedfromsecondsearch = title.",".indexusedinquery
| return valuesReturnedfromsecondsearch]
output :
FieldName : valuesReturnedfromsecondsearch
FieldValue : Savedsearch2,*
I am able to return the output if I manually pass the value SavedSearch2, but when i try to extract from rex and send , then the above query is not working. It is changing the title value from SavedSearch1 to SavedSearch2 simply ,but it has to then check for the events which has the anotherSavedSearchUseInSearch value as title, without changing the existing titlename.
And This sub search should iterate for all the cases.
... View more