I need to do a search in two different sourcetypes and use the result to do additional searches in these queries.
But I have the problem that, while both sourcetypes have similar values, they use different prefixes. So in sourcetype=A the ip is called aIP and in sourcetype=B the ip is called bIP respectively.
So you could search with
aIP=”192.168.0.1” OR bIp=”192.168.0.1”
However if you want to use these ips from a subsearch of both of these tables it becomes problematic and I am not sure what the best solution is.
So let’s assume I want to find the IPs used on a specific page called “MAINPAGE”. And use these IPs to search for other pages visited by them on both sources.
I tried to minimize the code as far as possible. It might not make any sense anymore, but I hope it’s enough to bring across my point.
Index=web (sourcetype=a OR sourcetype=b)
[search index=web sourcetype=a apage=MAINPAGE | table aIP]
OR
[search index=web sourcetype=a apage=MAINPAGE | rename aIP as bIP | table bIP]
OR
[search index=web sourcetype=b bpage=MAINPAGE | table bIP]
OR
[search index=web sourcetype=b bpage=MAINPAGE | rename bIP as aIP | table aIP]
| eval page = coalesce (apage, bpage)
| eval ip = coalesce (aIP, bIP)
| table page, ip
So because the table of the subsearch is automatically the search parameters for the parent searches and I need to search for both results, I don’t see a better way than doing both searches twice and just rename the field name of the output table.
Is there any way to reduce it to two subsearches in this case? Eg. renaming the fields without doing the search an additional time?
... View more