I have a massively complex search that's working. But now I'd like to augment the output of that search with some additional fields, which can be found by using a secondary search. For this to be efficient, I need the output of the core search to be fed as parameters of the secondary search..... (Basically, I'm looking for a "lookup", but a lookup that's based of another search not a CSV file, script, or kv-store.) I'm really only dealing with one or two results at a time, so the typical inefficiencies of launching multiple searches is not a concern here.
It seems like this should be possible with the `appendpipe` search command in combination with the `map` command. Instead of trying to make this work in the context of my already complex search, I broke it down into it's simplest form.
This search works, demonstrating the the "map" works as-expected:
| stats count | eval series="splunkd" | map search="search index=_internal source=*metrics* group=per_sourcetype_thruput series=$series$ | head 1 | table series kb max_age"
The output is: series=splunkd,kb=10.49353 max_age=1
This also works, demonstrating that the field "series" makes it from the base search into the subsearch, just as appendpipe advertises:
| stats count | eval series="splunkd" | appendpipe [ eval new_field=series ]
The output looks like so:
* count=0, series=splunkd
* count=0, new_field=splunkd, series=splunkd
However, once combined, something goes (silently) wrong:
| stats count | eval series="splunkd" | appendpipe [ map search="search index=_internal source=*metrics* group=per_sourcetype_thruput series=$series$ | head 1 | table kb series max_age" ]
The output looks like:
* count=0, series=splunkd
I was expecting the output to look like:
* count=0, series=splunkd
* series=splunkd,kb=10.49353 max_age=1
In real life, the first result would have lots of other useful fields. And I'd stick something like `| stats values(*) as * by series` to group all the relevant fields into a single result.
Any thoughts? I've been testing this on Splunk 6.2
↧