![]() You must have a command after the pipe and before the subsearch. | search [search index=* | stats count by user [search index=* | stats count by component If a search has a set of nested subsearches, the inner most subsearch is run first, followed by the next inner subsearch, working out to the outermost subsearch and then the primary search.įor example, you have the following search. You can use more than one subsearch in a search. Certain commands, such as append and join can accept a subsearch as an argument. For example, you cannot use a subsearch with " sourcetype=top | multikv", because the multikv command does not expect a subsearch as an argument. Run a separate search and add the output to the first search using the append command.Ī subsearch can be used only where the explicit action that you are trying to accomplish is with the search and not a transformation of the data.The example, described above, of searching for the most active host in the last hour is a an example of this use of a subsearch. Parameterize one search, using the output of another search.Subsearches are mainly used for two purposes: The time range does not apply to the base search or any other subsearch.įor example, if the Time Range Picker is set to Last 7 days and a subsearch contains then the earliest time modifier applies only to the subsearch and Last 7 days applies to the base search. Likewise, a time range specified directly in a subsearch applies only to that subsearch. ![]() However, time ranges specified directly in the base search do not apply to subsearches. Time ranges selected from the Time Range Picker apply to the base search and to subsearches. The main search returns the events for the host. The result of the subsearch is then provided as a criteria for the main search. The subsearch in this example identifies the most active host in the last hour. The subsearch is in square brackets and is run first. You can combine these two searches into one search that includes a subsearch. You must run the first search to identify the piece of information that you need, and then run the second search with that piece of information. The drawback to running two searches is that you cannot set up reports and dashboard panels to run automatically. ![]() To return all of the events from the host crashy, you need to run a second search. Assume that the result is the host named crashy. Sourcetype=syslog earliest=-1h | top limit=1 host | fields host The following search identifies the most active host in the last hour. You could run two searches to obtain the list of events.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |