I have a search with the following table as output:
time customer circuit_id parent_circuit device_card
8:10 zzzzzzzz aaaaaaa bbbbbbbbbbb ccccccccccc
Is it possible to use the values of the fields "circuit_id", "parent_circuit" & "device_card" using join command (or whatever command will work) to match a single field "prineid" from another index (main) and sourcetype (tickets)? So basically the "prineid" field of `index=main sourcetype=tickets` can have the values of aaaaaaa OR bbbbbbbbbbb OR ccccccccccc. I want the output/table to include another column "ticket" which is a field from index=main sourcetype=tickets:
time customer circuit_id parent_circuit device_card ticket
8:10 zzzzzzzz aaaaaaa bbbbbbbbbbb ccccccccccc dddd
As additional info, the main search is an alert for an outage and the subsearch looks for any tickets that may have been already opened for the outage.
↧