I'm trying to monitor a set of hosts that run a batch process, and I want to produce output that dynamically identifies the hosts according to filter key words, then join that list of hosts with subsearches that look for the specific events of interest. For example:
index=Idx filter1 filter2 | stats min(_time) as initial_time by host | convert ctime(first_time) | table host, first_time | join type=left host [ | search index=eng_etm [ index=Idx filter1 filter2 | stats count by host | table host | return 2000 host ] starttag1 starttag2 | convert ctime(_time) as start_time | table host, start_time | sort 0 host | dedup host ] | join type=left host [| search index=Idx [ index=Idx filter1 filter2 | stats count by host | table host | return 2000 host ] endtag1 endtag2 | table _time, host | stats min(_time) as end_time by host | convert ctime(end_time) ]
Returns something like this:
host initial_time start_time end_time
1 8/1/16 00:00:00 8/2/16 00:01:00 8/2/16 00:01:21
2 8/1/16 00:00:00 8/2/16 00:01:00
3 8/1/16 00:00:00
4 8/1/16 00:00:00 8/2/16 00:01:00 8/2/16 00:01:21
This is actually the output I want, but I don't like having to constantly restate the subsearch in each join statement. Is there a simpler way to write this search to allow the subsearch to get the host list from the outer search?
↧