I have 2 queries and need to show the result of both in one table
index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily| stats count(Daily)
index=someindex queryType="ts" filename=RECON status=1 | dedup filename |rename filename as Weekly | stats count(Weekly)
both the above queries work individually but when joined as below
index=someindex queryType="ts" filename=RECON status=1| dedup filename |rename filename as Weekly| join queryType [search index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily ]| stats count(Daily),count(Weekly)
gives incorrect output
try like
index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily| stats count(Daily)|appendcols [search index=someindex queryType="ts" filename=RECON status=1 | dedup filename |rename filename as Weekly | stats count(Weekly)]
try like
index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily| stats count(Daily)|appendcols [search index=someindex queryType="ts" filename=RECON status=1 | dedup filename |rename filename as Weekly | stats count(Weekly)]
Perfect!
I was trying Joining the 2 searches but "appendcols" worked like a charm...thanks.
I am not sure why you are deduping. Assuming that's what you want...try this:
index=someindex queryType="ts" filename=RECON OR filename=PNASC.HRBDT status=1| dedup filename | stats count by filename
The files have date timestamp extension and I need to show them bundled by the types...hence this will not work.