Returning a new constant field in a subquery

Follow

Matt Evans

• November 02, 2018 19:02
• Edited

I have two log statements I'm trying to compare. One statement I'm parsing to return a list of ids, the other I'm parsing to return a single id.

I would like to return a result set whenever a single id also matches an id in a list of ids.  I'm trying to use a subquery to do this and I think I have the logic right but it appears that I cannot return a custom field (using the as operator). 

_sourceCategory=category1  |  parse "Ids [*]" as ids 
| where ids matches toString([subquery:_sourceCategory=category2 | parse "Id * " as singleId 
| compose singleId])

This results in an error:

Subquery failed with error: Field singleId not found, please check the spelling and try again.

However if I change compose singleId to compose Message, it works, and by works I mean it doesn't error, however since I'm now passing Message and not singleid, I don't get expected results.

 

 

 

 

 

 

0

• Official comment

  

  Matt Sullivan

  • November 11, 2018 13:44

  assuming you want to just show results from category1 where Id from category 2 is present, you might opt to move the subquery to the scoping portion of the query, and presuming category1 does not have a field named singleId, you must use the keywords modifier on the subquery. Net result is something like below

  _sourceCategory=category1
  [subquery:_sourceCategory=category2
  | parse "Id * " as singleId
  | compose singleId keywords]

  Permalink

Please sign in to leave a comment.