I've combed through a plethora of the posts here with regards to using subsearches and other various "solutions" to what must be a very common issue: combining results from two searches.
Let me start out by apologizing since this may very well be an easily solved question. I hope you'll be able to take a moment to assist me whether or not that's the case. I would appreciate it.
My issue is the following:
I have two searches. They mostly resemble
index=X | ... do something ... | rename ... | table a, b, c
index=Y some_value_found_in_indexX_fieldb | table d
Let's say I do a regular boring search on index X and pick out one of field b's values. I then perform the second search. When I do it manually I can find matches for that value from index Y.
What I want to do is use each value from index X field b as the search "keyword" (for lack of a better term) rather than a static string that I pick out by hand.
Now I already tried several different subsearches with one inside the other knowing that the subsearch is performed first, which means that any value I want to use from it is for outer search (and can't be done in the opposite order).
So I expected that I'd be using the first search as my subsearch. Something like:
index=Y [search index=X | ... do something ... | rename ... | table a, b, c] | table d
But I don't think that's quite right since I never get any results.
If this were to work, I'd probably have a table with a, b, c, and d.
I don't think a join would be used in this case. Am I wrong?
If any of you could help me I would be super thankful.
↧