Hello all, my search is below:
index=tcxelevate_webpos registerType=kioskBridge registerNbr=* countryCode=US tagName=CLIENT_INITIALIZATION enterpriseId=prod storeId=* storeId!=4184 AND storeId!=0001
| eval regNbr=registerNbr | eval storeNbr=storeId
| spath output="Store" "storeId"
| spath output="Country" "countryCode"
| spath output="Lane" "registerNbr"
| spath output="Time" "timestamp"
| spath output="Reloads" "tagName"
| localize timebefore=5m
| map search="search index=tcxelevate_webpos registerType=kioskBridge registerNbr= regNbr countryCode=US enterpriseId=prod storeId=storeNbr earliest=$starttime$ latest=$endtime$"
| spath output="Command" "command"
| eval request=case(true(), "debug")
| eval response=case(true(), "debug")
| stats values(Country) as Country, latest(Command) as Command, latest(request) as Request, latest(response) as Response, values(Reloads) as Reloads by Store, Lane, Time
| table Time, Reloads, Command, Request, Response, Store, Lane, Country
As you can see. I am trying to strip the register number from the first search into spath
From there, I am trying to do a map search on all events that are pulled from the main search.
In the map search. I try to set registerNbr equal to the variable I made with the spath.
I am just trying to take the value for registerNbr from the first search, and store it. and refer to it later in my map search to narrow down the search.
Any assistance?
P.S. ignore my eval's with case statements. I haven't filled those out yet, but have working code that I will put in there after I am done testing to see if I can get the map search to work as I want it to.
↧