Query "index=idx1 sourcetype=src1 sender="xyz" | timechart count as res1" showing results properly, and
Query "index=idx1 sourcetype=src1 sender="abc" | timechart count as res2" not showing any result.
when I am trying to combine both the queries as below:
index=idx1 sourcetype=src1 sender="xyz" | timechart count as res1 | appendcols [search index=idx1 sourcetype=src1 sender="abc" | timechart count as res2] | fillnull res1, res2
it is giving result, but no value for _time field .
how I can get values for _time field.
pls help me....
... View more