Document toolboxDocument toolbox

runSearch

Run a search that is parameterized by the values in the input table. It runs a search for each row of the input table.

Operator Usage in Easy Mode

  1. Click + on the parent node.
  2. Enter the Run Search operator in the search field and select the operator from the Results to open the operator form.
  3. In the Connection drop-down, enter or select the connection by which this operator will use to run the search.
  4. In the Input Table drop-down, enter or select the table containing the data to run this operator on.
  5. In the Query field, select a query or pick a value. The value will be displayed based on the table selected in the input table field.
  6. Enter the start time and end time of the search query.
  7. In the Time between Queries, enter the time between queries in seconds, minutes, hours, days, or weeks.
  8. Optional. In the Preview field, enter a string value. This provides a preview based on the start time, end time, and the queries that are composed from query_template.
  9. Click Run to view the result.
  10. Click Save to add the operator to the playbook.
  11. Click Cancel to discard the operator form.

Usage Details

LQL Command

runSearch(connection, input_table, query_template, start_time, end_time,
          pause_time_between_queries, preview_mode])

Input Parameters

  • connection: Name of a connection that has already been set up.
  • input_table: Table that supplies the parameters for the searches. The table should not have more than 500 rows.
  • query_template: Template for the query to be sent to Devo, Elastic Search, Splunk, or Sumo Logic. The syntax stated in the example below, allows you to pull values from the parent table to be used as part of the query.
  • start_time: SQL expression, allowing you to pull values from the parent table to parameterize the start time for the search. The system expects the expression to return Unix epoch milliseconds. The value is a string and must be enclosed in quotes.
  • end_time: SQL expression, allowing you to pull values from the parent table to parameterize the end time for the search. The system expects the expression to return Unix epoch milliseconds. The value is a string and must be enclosed in quotes.
  • pause_time_between_queries: Time period to pause between queries. Can be used to rate limit the searches issued to a chosen connection. It is specified in seconds. Example: "5 s" for 5 seconds.
  • preview_mode: (Optional) When left out, the operator runs the searches as specified. When set to "true" (quoted, because it is a string), the operator is in preview mode. In preview mode, the search is not actually run, but provides a preview based on the start time, end time, and the queries that are composed from query_template.

The timezone for start_time and end_time

It is in UTC

Output Parameters

In preview mode, six columns are added to the input table to show the searches that will be issued to Devo, Elastic Search, Splunk, or Sumo Logic.

In standard mode, where the search actually runs, the output table expands the input table columns to include the columns returned from the chosen connection. The column names from Devo, Elastic Search, Splunk, or Sumo Logic are prepended with "remote_".

Examples

Here is an example of the preview mode:

LQL Command

runSearch(SumoLogicConnection, input_table_1,
          "_sourceCategory=$source_category_for_searching | count by _sourcehost | sort _count",
          "lhub_ts - 40000", "lhub_ts + 40000", "5 s", "true")

Input table with the name input_table_1:

id source_category_for_searching lhub_ts
1 github 1517348699000
2 salesforce 1517351974000
3 cloudtrail 1517349002000

Output Table: The columns shaded in yellow are the preview columns for the Sumo Logic searches.

id source_category_for_searching lhub_ts lhub_status lhub_error lhub_num_results previewStartTime previewQuery previewEndTime
1 github 1517348699000 success 0 1517348659000 _sourceCategory=github | count by _sourcehost | sort _count 1517348739000
2 salesforce 1517351974000 success 0 1517351934000 _sourceCategory=salesforce | count by _sourcehost | sort _count 1517352014000
3 cloudtrail 1517349002000 success 0 1517348962000 _sourceCategory=cloudtrail | count by _sourcehost | sort _count 1517348962000

Here is an example of the standard mode:

LQL Command

runSearch(SumoLogicConnection, input_table_1,
          "_sourceCategory=$source_category_for_searching | count by _sourcehost | sort _count",
          "lhub_ts - 40000", "lhub_ts + 40000", "5 s")

Input Table:

id source_category_for_searching lhub_ts
1 github 1517348699000
2 salesforce 1517351974000
3 cloudtrail 1517349002000

Output Table: In this example, the search on "github" returns 3 results, the search on "salesforce" returns 0 results, and the search on "cloudtrail" returns 5 results. The columns shaded in green are search results from Sumo Logic. The columns lhub_status, lhub_error, and lhub_num_results provide a summary of the search.

  • lhub_status indicates whether the search was "success" or "failure".
  • lhub_error is the error message in the case when the search resulted in a failure.
  • lhub_num_results indicates the total number of results of the search.
id source_category_for_searching lhub_ts lhub_status lhub_error lhub_num_results remote__sourcehost remote__count
1 github 1517348699000 success 3 host1 765
2 github 1517348699000 success 3 host3 45
3 github 1517348699000 success 3 host9 2
4 salesforce 1517351974000 success 0
5 cloudtrail 1517349002000 success 5 prod-cloud-2 10231
6 cloudtrail 1517349002000 success 5 prod-cloud-10 543
7 cloudtrail 1517349002000 success 5 prod-cloud-76 87
8 cloudtrail 1517349002000 success 5 prod-cloud-252 12
9 cloudtrail 1517349002000 success 5 prod-cloud-88 1