I have a new problem now when i try to filter the search with a fieldname value and both the search has different name.
Query-1 has the field name as "SessionType" and Query-2 has the field name as "Product" and i am trying to filter the search by having Product="meeting" and i am not getting the complete result set.
sourcetype="broker" host="g2m*" (createUpdateAttendeeResource OR Participant_System_Information) | rename OSType as OS | eval OS = if(OS=="" or isnull(OS),ClientName,OS) | rename Product as Producttype | eval ProductType = if(ProductType=="" or isnull(ProductType),Sessiontype,ProductType) | top limit=4 OS
OS count percent
Windows 16530 86.580767
MacOSX 2250 11.785041
iOS 234 1.225644
android 78 0.408548
But when i use the filter - "SessionType="meeting" i just get only one result set :
sourcetype="broker" host="g2m*" (createUpdateAttendeeResource OR Participant_System_Information) | rename OSType as OS | eval OS = if(OS=="" or isnull(OS),ClientName,OS) | rename Product as Producttype | eval ProductType = if(ProductType=="" or isnull(ProductType),Sessiontype,ProductType) | search SessionType="meeting" | top limit=4 OS
OS count percent
Windows 11677 86.656772
2MacOSX 1615 11.985158
iOS 183 1.358071
I am not sure why the second query result set is not give - where i need the count for "android" as i got from the step-1.
Please help.
Opps ! typo on the query,
i got the answer for this as i misspelled the fieldname as "Producttype " instead of "ProductType" ( 'T' in uppercase) and i could see the result now :
sourcetype="broker" host="g2m*" (createUpdateAttendeeResource OR Participant_System_Information) | rename OSType as OS | eval OS = if(OS=="" or isnull(OS),ClientName,OS) | rename Product as ProductType | eval ProductType = if(ProductType="" or isnull(ProductType),SessionType,ProductType) | search ProductType="meeting" | top OS