Hello !
Is there a way to do conditonal searches depending of the result of a first search ?
I mean, here is an exemple :
- A search command returns a table with a field containing an interesting value, for instance "reachable" or "not-reachable"
- a second search command is executed only if the value is "reachable" is set in the first command
- This second search should be run for each row of the table of the first command.
In both commands, there are "eval" commands which are used for timestamp evaluations.
Here is a simplified version of my query :
index=* sourcetype=routes_devices
| table _time,host-name, reachability
| eval result=if(reachability=="reachable",
[search index=* sourcetype=router fields name], "NOK")
Is it possible to that kind of searches ? with the best performance possible.
Thanks for your help !
↧