Hi.
I have two separate searches.
Search1 returns events where field1
and field2
exist:
search source=x resource=foo | table field1, field2
Search2 returns events where field2
and field3
exist:
source=y resource=bar | stats count by field2, filed3
Events of Search2 do not contain mentions of field1
but there is one-to-one relation between field1
and field2
, shown by results of Search1. How to combine these two searches into one search so that all three fields field1
, field2
and field3
are shown in a table?
Try this:
index=foo source=x resource=foo | table field1, field2 | append [search index=bar source=y resource=bar | stats count by field2, filed3] | stats values(*) as * by field2
Try this:
index=foo source=x resource=foo | table field1, field2 | append [search index=bar source=y resource=bar | stats count by field2, filed3] | stats values(*) as * by field2
Thank you.