Search: Join / Multisearch

Aus Wiki-WebPerfect
Wechseln zu: Navigation, Suche

Example

In the index "index1" the fields "field1_index2" and "field2_index2" is missing, but in the index "index2" there it is.
"Field1" from "index1" hast the same value as "field1_index2" from "index2" (-> this is the field for merging the data)

Goal: Adding "field2_index2" from "index2" to the main-search of "index1"

Fields of Index1:

  • field1
  • field2
  • field3

Fields of Index2:

  • field1_index2
  • field2_index2


Multisearch

With multisearches you can combine data from multiple indexes, really similar to Splunk Joins but faster.

Splunk-Search

| multisearch
    [search index="Index1" <some_filters_if_needed> earliest=-24h latest=now ...]
    [search index="Index2" <some_filters_if_needed> earliest=-24h latest=now ... | rename field1_index2 AS field1]
| stats
    latest(field1) as field1
    latest(field2) as field2
    latest(field3) as field3
    by field1 
| fields
    name, vmid, ciNumber, owner.emailAddress


Join - Add fields from another index to my search

Splunk-Search

index=index1
| sort field1 DESC
| join type=left field1 [search index=index2 ealiest=-1d | rename field1_index2 AS field1 | fields field1, field2_index2]
| table field1, field2, field3, field2_index2