Returning a new constant field in a subquery
I have two log statements I'm trying to compare. One statement I'm parsing to return a list of ids, the other I'm parsing to return a single id.
I would like to return a result set whenever a single id also matches an id in a list of ids. I'm trying to use a subquery to do this and I think I have the logic right but it appears that I cannot return a custom field (using the as operator).
_sourceCategory=category1 | parse "Ids [*]" as ids
| where ids matches toString([subquery:_sourceCategory=category2 | parse "Id * " as singleId
| compose singleId])
This results in an error:
Subquery failed with error: Field singleId not found, please check the spelling and try again.
-
Official comment
assuming you want to just show results from category1 where Id from category 2 is present, you might opt to move the subquery to the scoping portion of the query, and presuming category1 does not have a field named singleId, you must use the keywords modifier on the subquery. Net result is something like below
_sourceCategory=category1
[subquery:_sourceCategory=category2
| parse "Id * " as singleId
| compose singleId keywords]Comment actions -
Im facing the same problem where a subquery within a where clause is not returning the field I want
//Base Query
| where (value_from_base_query/[subquery from=(-15m):(scoping for subquery ) | timeslice 15m
| count as transaction_count by _timeslice | compare with timeshift 7d 4 avg as AVG|sum(transaction_count_AVG) as AVERAGE|compose AVERAGE ] )<50Returns --> "Subquery failed with error: Field AVERAGE not found, please check the spelling and try again."
How does subquery work with where /if ?
Please sign in to leave a comment.
Comments
2 comments