Trying to get a search working where instead of the whole result set passing to the next command as one, they would pass over one at a time as a sort of a loop fashion. Then also use that value as a parameter value in a next command.
Here is a simple example.
Let's say I have this search:
"blah"
| top host
| fields + host
| throttle name=mytest period=300
| sendemail to=somebody sendresults=true
Let's say this returns two hostnames which pass through the AlertThrottle app throttle command, that then sets the suppression state and fires an email. The email contains the two hostnames from the result set.
I'd like to have each hostname pass through to the throttle command individually and also use the hostname to populate the "name=" value in the throttle portion. So that after the single search it is equivalent to:
hostname1 -> | throttle name=$host period 300 | sendemail to=somebody sendresults=true
hostname2 -> | throttle name=$host period 300 | sendemail to=somebody sendresults=true
So each result (two hostnames) generates a separate email and also using that hostname as a parameter value.
Are both of those two conditions even possible?
Thanks,
Scott
You could in theory use the map
search command.
Thanks for the answer, looks like this should allow the variable usage - but couldn't test successfully and then found your comments in a different ticket about map/<4.2/distributed_mode not being supported, so guessing that is why. I'll give this a try once 4.2 is released. Thanks!