|
I have a subsearch that calculates a field call 'MyLatestTime' and I want to use that to set the latest field in my outer search. How would I do that? For example: "outer search" earliest="01/19/2010:00:00:00" latest=MyLatestTime ["inner search" | eval MyLatestTime = _time ] I hope that made sense. Thanks. |
|
Hi Dinh, To pass a field from the inner search to the outer search you must use the 'fields' command. Otherwise, Splunk will pass the results of the inner search as a set of events. Also, in the outer search, the assignment latest=MyLatestTime can be done in the inner search instead. Try this: ... earliest="01/19/2010:00:00:00" [search ... | eval MyLatestTime=_time | fields + MyLatestTime | rename MyLatestTime as latest] |
|
What Vi Ly replied is right. It may also help you to use the "format" command. When a subsearch is used as an argument to a "search" command, its output is implicitly passed through "format" (unless it has already been explicitly sent through format) to convert it into a single string value (called either "search" or "query"). That string is then expanded into arguments to the original search command. So for example: yields a string: or something like that. That string would then be made part of your original search command in place of the subsearch. The "format" command take take an entire table and format it, so if your subsearch returned the table: "format" would return: by default. If used in a subsearch in a "search" command, then, that query would be part of your search. Note that arguments to "format" can change the "AND", "OR" and parentheses to other characters (e.g., it is sometimes useful to generate a string like the above, but where "AND" is replaced with "OR"). |
|
This doesn't work for me. Here's what I'm trying to do: sourcetype="ST" [search sourcetype="ST" foo=bar | stats max(_time) as latest min(_time) as earliest by host | eval latest=latest+.001 | fields + earliest latest host] I want this to produce: sourcetype="ST" latest=1234567.500 earliest=1234566.799 host=host1 I believe the search that is actually being created is: sourcetype="ST" ( ( latest=1234567.500 AND earliest=1234566.799 AND host=host1 ) ) Running that search produces the error "Error in 'UnifiedSearch': Unable to parse the 'Missing LHS for AND' search.". Removing the parentheses, it works as expected. Anybody know a way to add the arguments from the subsearch onto the search without the parentheses? EDIT...Thank you, Dr. Wooden, that works a treat. I kept going and made a workflow action that can be used generically, and should actually be fast, since it uses the results of the active search instead of rerunning the initial search. It should also work for complicated searches, since it's just pulling the results off disk. Here's the full config entry: The only downer is that it doesn't build a reusable search, but it should work well for interactive use. We can get rid of the extra parenthesis like this (but it doesn't appear to fix the reported error): sourcetype="ST" [search sourcetype="ST" foo=bar | stats max(_time) as latest min(_time) as earliest by host | eval latest=latest+.001 | fields + earliest latest host | format "" "(" "AND" ")" "OR" ""]
(17 Nov '10, 17:05)
bwooden ♦
I removed the outer parenthesis as well and it appeared to work in my lab. Does this work in your environment: sourcetype="ST" [search sourcetype="ST" foo=bar | stats max(_time) as latest min(_time) as earliest by host | eval latest=latest+.001 | fields + earliest latest host | format "" "" "AND" "" "OR" ""]
(17 Nov '10, 17:13)
bwooden ♦
|
