Hi, I tried to do a base search, then pass fields to subsearch as both a filter and stat columns. I tested with following:
index="_internal" | eval MyUser=user | table MyUser bytes | map search="search index="_audit" user=$MyUser$ | stats values(user), values($MyUser$) as MyUser, values($bytes$) as bytes, values(action) "
user=$MyUser$ works but the columns for fields MyUser and bytes are empty.
Please help. Thanks.
Besides, will there be better and more efficient way to do so?
Thanks a lot.
/ST Wong
↧