If the search slots are available, multisearch should finish dramatically faster. I think its value would come out in a case where you need to apply calculations (eval) or inline extractions (rex) to one set of events, but not to other sets of events, and it might make your search easier to understand (instead of getting multiple levels of if statements deep in your evals).Īdditionally, multisearch searches are run (more-or-less) simultaneously, not sequentially as they are with append. Run-anywhere example: makeresults count20 streamstats count search makeresults count10 streamstats count table count eval count'count. So you can craft a search string yourself if the format command isn't sufficient. Using Job Inspector, the eventSearch field is filled like this: search eval customer'client01' lookup usecases.csv customer OUTPUT customer usecasedatasource fields + usecasedatasource search. mymacro (client01) indexusecasedatasource. While in your simple example it might not have a benefit, multisearch lets you use any streaming command in each search. Remember that if your subsearch returns a field called 'search', it's returned verbatim to the outer search. Search: The field returned by the macro, should fill the index field in the search. But one advantage is that from the append command, the multisearch command doesn’t do truncating, so without truncating you can append multiple data set using this multisearch command. This similarly works like append or appendcols command two combine two different data set together into one angel data set. In the result, you can see that we are getting data from both two indexes. [search index=_audit sourcetype=audittrailĪs you can see here we have used two sub searches and combined them with the multisearch command. [search index="_internal" sourcetype=splunkd_access These sub-searches will only contain the following commands where, search, rex, fields, and eval. It requires more than one sub-search to execute this command. Multiserach is a generating command (Generating commands use a leading pipe character and should be the first command in a search) that runs multiple searches at the same time without truncating the results of data sets.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |