Hi
I'm trying to combine fields in multiple search result in one output table as overall result, for example:
Search 1 result
time1,username1,condition1
Search 2 result
time1,username1,condition2
Output table
time1,username1,condition1,condition2
Hope I make the question clear.
Thanks!
Thanks,
the example of my search are following
search 1
index=devicelogs host=IP address check_result="*" | table time,user,check_result
result 1
time,user,check_result
search 2
index=devicelogs host=IP address client_version="*" | table time,user,client_version
result 2
time, user, client_version
I need to combine the results into one table, which looks like:
time,user,check_result,client_version
can you provide the searches that create those results?
try something like this to create one search:
index=index1 OR index=index2
|eval condition1=if(index="index1",condition,null())
|eval condition2=if(index="index2",condition,null())
|stats values(condition1) as condition1 values(condition2) as condtion2 by time username
or you can use join type=left username time
with the two searches. however, there are limits with join.