I have two separate searches and I want to display the results in 1 timechart with a calculated field.
"searchA" | timechart span=1d count AS SEARCH_A
SEARCH_A
2/12/2013 5
2/13/2013 4
"totalSearch" | timechart span=1d count as TOTAL_SEARCH
TOTAL_SEARCH
2/12/2013 8
2/13/2013 11
I'm using appendcols but I can't get SEARCH_B to display.
"searchA" | timechart span=1d count AS SEARCH_A | fields + SEARCH_A | appendcols ["totalSearch" | timechart span=1d count as TOTAL_SEARCH | eval SEARCH_B=TOTAL_SEARCH-SEARCH_A]
The combined result should be something like:
SEARCH_A SEARCH_B TOTAL_SEARCH
2/12/2013 5 3 8
2/13/2013 4 7 11
Is it possible that you forgot to put the search
keyword in your subsearch?
Or, try this instead:
"searchA"
| eval series="Search A"
| append [ search "totalSearch" | eval series="Search B" ]
| timechart span=1d count by series
Note that the second search is limited to 50,000 events by default. If that is not enough, you could do it this way instead - not as clean, but workable:
"searchA"
| bucket _time span=1d
| stats count by _time
| eval series="Search A"
| append [ search "totalSearch"
| bucket _time span=1d
| stats count by _time
| eval series="Search B" ]
| timechart span=1d sum(count) as Count by series
Yes, I forgot the 'search' inside the subsearch, but I'm still facing the same problem. My issue here is that it's not recognizing the field from the outer search, which I'm using to calculate a value in the subsearch. To make the query clearer:
"searchA" | timechart span=1d count AS SEARCH_A_COUNT | fields + SEARCH_A_COUNT | appendcols [search "totalSearch" | timechart span=1d count as TOTAL_SEARCH_COUNT | eval SEARCH_B_COUNT=TOTAL_SEARCH_COUNT-SEARCH_A_COUNT]
The SEARCH_B_COUNT is derived from the difference between total count and searchA count, but it's not recognizing the SEARCH_A_COUNT