Run a search that is parameterized by the values in the input table. It runs a search for each row of the input table.
Operator usage in easy mode
Click + on the parent node.
Enter the Run Search operator in the search field and select the operator from the Results to open the operator form.
In the Connection drop-down, enter or select the connection by which this operator will use to run the search.
In the Input Table drop-down, enter or select the table containing the data to run this operator on.
In the Query field, select a query or pick a value. The value will be displayed based on the table selected in the input table field.
Enter the start time and end time of the search query.
In the Time between Queries, enter the time between queries in seconds, minutes, hours, days, or weeks.
Optional. In the Preview field, enter a string value. This provides a preview based on the start time, end time, and the queries that are composed from query_template.
Click Run to view the result.
Click Save to add the operator to the playbook.
Click Cancel to discard the operator form.
Usage details
LQL Command
runSearch(connection, input_table, query_template, start_time, end_time,
pause_time_between_queries, preview_mode])
Input parameters
connection: Name of a connection that has already been set up.input_table: Table that supplies the parameters for the searches. The table should not have more than 500 rows.query_template: Template for the query to be sent to Devo, Elastic Search, Splunk, or Sumo Logic. The syntax stated in the example below, allows you to pull values from the parent table to be used as part of the query.start_time: SQL expression, allowing you to pull values from the parent table to parameterize the start time for the search. The system expects the expression to return Unix epoch milliseconds. The value is a string and must be enclosed in quotes.end_time: SQL expression, allowing you to pull values from the parent table to parameterize the end time for the search. The system expects the expression to return Unix epoch milliseconds. The value is a string and must be enclosed in quotes.pause_time_between_queries: Time period to pause between queries. Can be used to rate limit the searches issued to a chosen connection. It is specified in seconds. Example:"5 s"for 5 seconds.preview_mode: (Optional) When left out, the operator runs the searches as specified. When set to"true"(quoted, because it is a string), the operator is in preview mode. In preview mode, the search is not actually run, but provides a preview based on the start time, end time, and the queries that are composed fromquery_template.
The timezone for start_time and end_time is in UTC
Output parameters
In preview mode, six columns are added to the input table to show the searches that will be issued to Devo, Elastic Search, Splunk, or Sumo Logic.
In standard mode, where the search actually runs, the output table expands the input table columns to include the columns returned from the chosen connection. The column names from Devo, Elastic Search, Splunk, or Sumo Logic are prepended with "remote_".
Examples
Here is an example of the preview mode:
LQL Command
runSearch(SumoLogicConnection, input_table_1,
"_sourceCategory=$source_category_for_searching | count by _sourcehost | sort _count",
"lhub_ts - 40000", "lhub_ts + 40000", "5 s", "true")
Input table with the name input_table_1:
id | source_category_for_searching | lhub_ts |
|---|---|---|
1 | github | 1517348699000 |
2 | salesforce | 1517351974000 |
3 | cloudtrail | 1517349002000 |
Output table: The columns shaded in yellow are the preview columns for the Sumo Logic searches.
id | source_category_for_searching | lhub_ts | lhub_status | lhub_error | lhub_num_results | previewStartTime | previewQuery | previewEndTime |
|---|---|---|---|---|---|---|---|---|
1 | github | 1517348699000 | success | 0 | 1517348659000 | _sourceCategory=github | count by _sourcehost | sort _count | 1517348739000 | |
2 | salesforce | 1517351974000 | success | 0 | 1517351934000 | _sourceCategory=salesforce | count by _sourcehost | sort _count | 1517352014000 | |
3 | cloudtrail | 1517349002000 | success | 0 | 1517348962000 | _sourceCategory=cloudtrail | count by _sourcehost | sort _count | 1517348962000 |
Here is an example of the standard mode:
LQL Command
runSearch(SumoLogicConnection, input_table_1,
"_sourceCategory=$source_category_for_searching | count by _sourcehost | sort _count",
"lhub_ts - 40000", "lhub_ts + 40000", "5 s")
Input table:
id | source_category_for_searching | lhub_ts |
|---|---|---|
1 | github | 1517348699000 |
2 | salesforce | 1517351974000 |
3 | cloudtrail | 1517349002000 |
Output table: In this example, the search on "github" returns 3 results, the search on "salesforce" returns 0 results, and the search on "cloudtrail" returns 5 results. The columns shaded in green are search results from Sumo Logic. The columns lhub_status, lhub_error, and lhub_num_results provide a summary of the search.
lhub_statusindicates whether the search was "success" or "failure".lhub_erroris the error message in the case when the search resulted in a failure.lhub_num_resultsindicates the total number of results of the search.
id | source_category_for_searching | lhub_ts | lhub_status | lhub_error | lhub_num_results | remote__sourcehost | remote__count |
|---|---|---|---|---|---|---|---|
1 | github | 1517348699000 | success | 3 | host1 | 765 | |
2 | github | 1517348699000 | success | 3 | host3 | 45 | |
3 | github | 1517348699000 | success | 3 | host9 | 2 | |
4 | salesforce | 1517351974000 | success | 0 | |||
5 | cloudtrail | 1517349002000 | success | 5 | prod-cloud-2 | 10231 | |
6 | cloudtrail | 1517349002000 | success | 5 | prod-cloud-10 | 543 | |
7 | cloudtrail | 1517349002000 | success | 5 | prod-cloud-76 | 87 | |
8 | cloudtrail | 1517349002000 | success | 5 | prod-cloud-252 | 12 | |
9 | cloudtrail | 1517349002000 | success | 5 | prod-cloud-88 | 1 |