Combine/merge two queries

Does Graylog have a possibility two combine to search querys: I.e. to use the outcome of one search as parameter input for another query (like sql join)?

Use case:
I have a search facility: xxx AND “error-text”
Using correlation ID’s found in this first search I can do another search query to find related messages (one by one). Can I use the outcome of the first query as input to the second?
Would like to create a csv export afterwards for easy analysis.
Thanks

Hi @Joklu,

no there is nothing like a join in Graylog. Can you try to explain a bit differently what you are trying to achieve? Perhaps there is another way of doing this?

With your query you find messages which have an ID. And now you want to find messages with this ID?
Why not just search for the ID? What does the join have todo with it?

Best regards,
Konrad

Hi @konrad, thanks for your reply!

I want to search related messages, but not for one ID (that can be done manually), but for multiple ID’s that have been found in the other search message. So this is were the join comes in :slight_smile:

Query 1 result:
id:x01 error=“error text”…
id:x02 error=“error text”…
id:x03 error=“error text”…
etc.

I want to search all related messages for x01, x02, x03 automatically.
Hope this clarifies!

Hey @Joklu,

thanks a lot! So I was pondering about it and I do not see a way to do this.

I will open a Feature Request for I have some ideas how to approach this. But I do not see something coming in this year.

- Konrad

here the feature request I have opened. If you can provide more details / uses cases, feel free to add them.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.