Search A may work, but it is very inefficient. This should do exactly the same thing, but much faster:
index=$host_select$ | table serverName message method
You should be getting results only from the index that you selected.
Search B selects everything from the webserver1 index, but will only keep events that have a matching message in the major_message index. If there is no match, then there will be no events from webserver1. If there is a match, you will get the messageType from the major_message index. I think there may also be a syntax error in this search. After all of that, if it works at all, you will still only get the events from the index you selected. My guess is that you get nothing unless you select webserver1 - and probably you still get nothing from search B.
From looking at search B, I have a few questions:
- What is
major_message? Is it data that would allow you to determine the
the type of a message? Where does it come from? Could this data be used as
a lookup table? That would be easier than a join.
- Is the data in webserver1 webserver2 and webserver3indexes
completely independent? For these
searches, do you want to look at only data from one of them, or do
you want to correlate data from across all three? If you only want to
look at data from a selected webserver, start the search string with
index=$host_select$
