Thanks cmerriman, I did see a similar answer in this forum, but I couldn't get it to work. | eval filename=if(isnull(filename),"Missing File!",filename) When a search contains a subsearch, the subsearch typically runs first. My base search which extracts filenames and the times that they arrived A subsearch is a search within a primary, or outer, search. If not, is there another strategy that I could use to detect missing files? If for some reason log is not available as a field, you should extract the full JSON object that contains 'log' as a key, extract that JSON with spath, then extract fields contained in log using spath. The best way to extract structured data is spath. The search that is enclosed in a square bracket and whose result is passed as a parameter value to the search is called a subsearch. ![]() is there a way to pass base search results to subsearches? You don't need rex to extract requestType. Access the full title and Packt library for free now with a free trial. I see that this question has been asked a few times in this forum, but none of the questions I viewed have accepted answers, and none of them were trying to use the same technique. However, it seems that the subsearches are unable to read my base search. ![]() (please see a cut-down version of the code below) To make the dashboard more efficient, I'm trying to implement a base search to list the files from all sources, which I then want to pass to my subsearches - I have to use subsearches because of the makeresults which generates the full list of sequence numbers. Occasionally a file gets lost in transit, so I have designed a dashboard with 20 panels (one for each source) to highlight missing files by doing a makeresults and then a streamstats to generate a list of sequence numbers, and then a join to a search which extracts the sequence numbers from the filenames received, and then any sequence numbers that are not 'joined' to a filename are flagged as missing files. The filenames contain the source that we received the file from, and have a three digit sequence number as a suffix. We receive several hundred files per day from 20 different sources.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |