I am trying to add a new column to a row that is a different search than the first search. Using append puts it in a new row but I want it in the same row.
So basically I have
index=a sourcetype=a | stats count as queue | eval Name="PA" | table Name queue | append [ search index=b sourcetype=b | stats count as count | eval Name="PA" | table Name count
So I'm getting data that correlates from two different sourcetypes and indexes but theres no field I can join on and I just want it on the same row. Name, queue and count on the same row.
Nevermind. I found out using join with no field works.
index=a sourcetype=a | stats count as queue | eval Name="PA" | table Name queue count | join [ search index=b sourcetype=b | stats count as count]
Nevermind. I found out using join with no field works.
index=a sourcetype=a | stats count as queue | eval Name="PA" | table Name queue count | join [ search index=b sourcetype=b | stats count as count]
Since both your searches return single row, you can also do these:
index=a sourcetype=a | stats count as queue | eval Name="PA" | table Name queue count | appendcols [ search index=b sourcetype=b | stats count as count]
OR
index=a sourcetype=a | stats count as queue | eval Name="PA" | table Name queue count | eval count=[ search index=b sourcetype=b | stats count as search]
As @adonio suggested, these merging both queries into one would be optimal solution, as compared to all of the above solution with subsearches.
hello there,
hope i understand the question correctly,
try conditional eval in stats:
(index=a sourcetype=a) OR (index=b sourcetype=b)
| stats count(eval(sourcetype="a")) as queue count(eval(sourcetype=b)) as count
| eval Name="PA"
uhh that might work but I found out just using join works.
join is expensive, better use stats when possible
I don't think your solution will work because I'm grabbing different fields and not counting the sourcetype.