I have two separate searches that I want to group into one. When I use appendcols I get wrong counts for the search encapsulated within appendcols . Can someone clue me into what I'm doing wrong?
In the search below, "Provisioned Org" returns an incorrect count, than when I run it on its own.
sourcetype=logs statusCode=400 "Org failure" earliest=-1mon@mon latest=@mon| timechart span=1d count as FAILED|appendcols [search sourcetype=logs "Provisioned org" earliest=-1mon@mon latest=@mon | timechart span=1d count as SUCCESSFUL]
... View more