I have a query that combines 1 search and 2 sub-searches. The main search is a summary index and sum(count) in the timechart to look right. The 2 sub searches do not need sum(count) - they just need "count" so they are represented properly on the timechart.
I was thinking if there was a way to convert sum(count) to count I would be good.
This summary index runs every 15 minutes and buckets by the minute:
Here's my Attempt to translate sum(count) to count:
index="summary_onemin" error | evenstats sum(count) as count by _time | append [| search index=power_user "null" | bucket _time span=2m | eval CODE=powerNULL] | timechart span=2m by CODE
Without the subsearch the search would look like this and works as intended:
index="summary_onemin" error | timechart sum(count) as COUNT by CODE
Try this
index="summary_onemin" error | table _time CODE count
| append [search index=power_user "null" | bucket _time span=2m | eval CODE=powerNULL
| stats count by _time, CODE]
| timechart span=2m sum(count) as count by CODE
Try this
index="summary_onemin" error | table _time CODE count
| append [search index=power_user "null" | bucket _time span=2m | eval CODE=powerNULL
| stats count by _time, CODE]
| timechart span=2m sum(count) as count by CODE
Thanks Somesoni!
Can you post your full search?