Hi,
I am trying to append results from 2 different sources and i am not seeing results populated especially for the sub search. Most of the times first search will not have any values (in timechart it would be 0s but subsearch will have always values as it is response time). But it is not showing any values for the subsearch. i have tried join, etc but no use. basically i am trying to view response time over time on top of first search results.
sourcetype=X date_hour > 8 date_hour < 19 date_wday!=Sunday date_wday!=Saturday | timechart count | appendcols [search sourcetype=Y | timechart avg(rt_sec) as RespTime]
Try this workaround
sourcetype=X date_hour > 8 date_hour < 19 date_wday!=Sunday date_wday!=Saturday | timechart count | append [search sourcetype=Y | timechart avg(rt_sec) as RespTime] | stats first(*) as * by _time
I am able to get results if i use left join and have max value specified. Like this...join type=left max=600 _time
i am not getting the 2nd column at all. I have switched base search vs sub search
Also, since the subsearch always returns values, can you make it base search and use base search (which doesn't return result always) as subsearch? You can use table command to correct the order of the field.
Try without the last stats and let me know the columns you're getting...
i have tried to use stats with having bucket _time i see 2 columns but as the first part has only few values i am not seeing data points when it is missing values
Hi, I am not getting any results if i use that