I didn't really know how to phrase this question so I just included the SideView modules I'm using.
I have a set of events that have a unique identifier field. Let's call it 'refid'. Then, sometimes, the events will have a field called 'related_events' which is a multi-value field containing 'refid' values that refer to other events in the same index.
So, my goal is to basically JOIN all 'related_events' to the same result set as the primary events. I tried using the JOIN command but it's pretty slow search because the JOIN search has to run over all time.
Since this is in a Dashboard I can break up the process into two seaches:
- Search 1 - run a search using the textfield input and get a list of refids to retrieve with search 2
index=myindex | eval refids=mvappend(refid,related_events) | mvexpand refids | stats values(refids) AS refids
- Search 2 - Using ResultsValueSetter, ValueSetter & ArrayValueSetter I create a string from the list of refids from search 1 which looks like this: refid="123" OR refid="456" OR refid="567" OR refid="8910" etc.
I really have two problems but only one is really necessary to solve right now.
Problem - How could I create a field in search two that tells me if the result is 'primary' or 'related' ?
- use custom javascript to parse out the ORs and ANDs and then provide the search with the values to be used with the HIGHLIGHT command
EDIT: Source Data Example w/ User Search Example
Let's say a user does a search like this:
index=myindex sourcetype=st1 xxxkeywordherexxx
_raw - these two events are returned because they contain the keyword xxxkeywordherexxx
timestamp: 2013-02-10 12:54:01 refid: 1234 related_events: 456 789 323 uname: fooname summary: a bunch of text summarizing the event and users keyword search mainly this text and it has ips domains xxxkeywordherexxx
timestamp: 2012-11-01 04:51:43 refid: 0201 related_events: 320 312 uname: barname summary: blah blah blah xxxkeywordherexxx blah blah blah
What I want is to achieve a JOIN on the multi-value field 'related_events' where each value of 'related_events' references another event's refid.
So the end goal is that the search would return the initial search results with a new field detailing whether the result was primary or related depending if the event was the result of the primary search or if it was fetch because it was referenced as 'related':
| eval search_type="primary"
| eval search_type="related"
| 2013-02-10 12:54:01 | 1234 | 456 789 323 | fooname | primary |
| 2012-01-11 13:01:01 | 456 | 666 | myusername | related |
| 2012-12-01 04:01:22 | 789 | fooname | related | |
| 2012-12-12 15:22:12 | 323 | ausername | related | |
| 2012-11-11 00:10:10 | 0201 | 320 312 | ausername | primary |
| 2012-11-05 02:11:05 | 320 | 012 | ausername | related |
| 2012-11-02 09:01:02 | 312 | myuname | related |
It would be nice to dive even deeper and retrieve one more level of 'related events' by looking at the 'related_events' field of the related events as well. For example, the events: 012 & 666