HI
I have two data sources, how can I show them in a single time chart graph? Search I'm trying
(index=abc result=a) OR (index=xyz find=c)|timechart span=10m count by index
Hi kiran331,
Can you please try this one??
(index=abc result=a) OR (index=abc result=b ) OR (index=xyz find=c )
| eval field = if(isnotnull(result) AND ((index="abc" AND (result="a" OR result="b"))),result,if(isnotnull(find) AND (index="xyz" AND find="c"),find,'undefined'))
| timechart span=10m count by field
Thanks
Kamlesh
Try this:
(index=abc result=a) OR (index=abc result=b) OR (index=xyz find=c)
| eval field=case(index="xyz", "c",
result="a", "a",
result="b", "b",
true(), "N/A")
| timechart span=10m count BY field
You can't use eval within base search like that. You should add it after the base search using an expression based on index name. Like this
(index=abc result=a) OR (index=abc result=b|eval field=b) OR (index=xyz find=c|eval field=c)
| eval field=case(index="abc" AND result="a","a",index="abc" AND result="b", "b", index="xyz" AND find="c", "c", true(),"undefined")
|timechart span=10m count by field
You left the eval
parts in your base search.
What issue do you see with your current query? It should give you two line (assuming you're using line chart) for both indexes into one.
HI Somesoni2,
I have events from the 2 same indexes, I'm not able use count by index, when I try to use eval new=field its showing error.
search I'm trying:
(index=abc result=a|eval field=a) OR (index=abc result=b|eval field=b) OR (index=xyz find=c|eval field=c)|timechart span=10m count by field