Hi Community,
I have a search query where I am trying to get values for the search from the results of another query.
index=_internal
[ `set_local_host`] source=*license_usage.log* type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool = "*"
| search h = hp742srv OR dell970srv OR dell428srv OR hp548srv OR dell429srv OR dell477srv OR dell433srv
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=30
| join type=outer _time
[ search index=_internal
[ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach *
[ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
The search statement in line number 9 has a list of host names which I have entered manually using the OR operator. The below query can generate the list of results but I am not able to use the result in the above query.
index=mx_logs "mx.env"="dell1192srv.fr.mx.com:15022"
| table host
| dedup host
How can I use the results from the 2nd query dynamically in the first SPL query?
Thanks in advance.
Regards,
Pravin
index=_internal
[ `set_local_host`] source=*license_usage.log* type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool = "*"
| search [search index=mx_logs "mx.env"="dell1192srv.fr.mx.com:15022"
| table host
| dedup host
| rename host as h
| format]
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=30
| join type=outer _time
[ search index=_internal
[ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach *
[ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
index=_internal
[ `set_local_host`] source=*license_usage.log* type="Usage"
| eval h=if(len(h)=0 OR isnull(h),"(SQUASHED)",h)
| eval s=if(len(s)=0 OR isnull(s),"(SQUASHED)",s)
| eval idx=if(len(idx)=0 OR isnull(idx),"(UNKNOWN)",idx)
| bin _time span=1d
| stats sum(b) as b by _time, pool, s, st, h, idx
| search pool = "*"
| search [search index=mx_logs "mx.env"="dell1192srv.fr.mx.com:15022"
| table host
| dedup host
| rename host as h
| format]
| timechart span=1d sum(b) AS volumeB by idx fixedrange=false limit=30
| join type=outer _time
[ search index=_internal
[ `set_local_host`] source=*license_usage.log* type="RolloverSummary" earliest=-30d@d
| eval _time=_time - 43200
| bin _time span=1d
| stats latest(stacksz) AS "stack size" by _time]
| fields - _timediff
| foreach *
[ eval <<FIELD>>=round('<<FIELD>>'/1024/1024/1024, 3)]
Thanks @ITWhisperer