I'm trying to calculate the `_time` difference between the subsearch and main search; but if I try and pass the time through to the main search it seems to want to include it in the actual search and return me no results.
So I have two systems, one to publish and one to ingest. For each publish in the last 4 hours, I want to look back in time and find when its ingest was to see how long it spent in the system. The linkage between the two searches is the "UID"; but in the subsearch I have to rename it from `uid` to `UID`
My search as follows gives me all the ingest events for the last 4hours' worth of successfully published events
index=mca_mmr sourcetype=ixs-9 Method=Ingest [search index=mca_mmr earliest=-4h sourcetype=jbpm process=publishEnd | rename uid as UID | fields UID]
I would expect something similar to this to work, although I don't know how to pass `pub_time` through to the main search:
index=mca_mmr sourcetype=ixs-9 Method=Ingest [search index=mca_mmr earliest=-4h sourcetype=jbpm process=publishEnd | rename uid as UID | eval pub_time=_time | fields UID] | eval process_time=pub_time-_time
↧