Hi All,
My data looks like this:
sourcetype - Loginstats
contents - Hostname, host, Address
sourcetype - Clientstats
Contents host, Address, "Symbol subscriptions"
What I want to do is use a subsearch to get the results of my search to obtain Address from loginstats and then get some statistics from Clientstats.
my search is as follows:
index=contentgateway sourcetype=Loginstats "User id"="fid-idea" [search index=contentgateway sourcetype=clientstats "User id"="fid-idea"| table Address]| stats mode("Symbol subscriptions") by Address, Hostname, host
which "kinda" works. In that it gives me the Address, Hostname and host. What it doesn't give me is the mode of "Symbol subscriptions". I understand why it's not working "Symbol subscriptions" is not a part of Loginstats. I just want to figure out a way to get it to work. So is there a way to associate a mode("Symbol subscriptions") and pass it back to the main search but not have the search use that as a term for the search? Instead only search on the Address? I've tried moving the stats command inside the subsearch already...
↧