Hi Everyone,
I have two search queries with two filter criteria's
1st query:
index=abc ns=xyz app_name=sd "ARC EVENT RECEIVED FROM SOURCE"| rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)"
| stats count, by sourceagent,RID
| rename sourceagent as "Source"|fields RID Source
2nd query
index=abc ns=xyz app_name=sd"ARC SUCCESSFULLY UPDATED RESPONSE BACK TO SOURCE OR SF"| rex "RID:(?<RID>(\w+-){4}\w+)-(?<sourceagent>\w+-\w+)"
| stats count, by sourceagent,RID
| rename sourceagent as "Source"|fields RID Source
Since the search is same for both only the filter criteria is different like "ARC EVENT RECEIVED FROM SOURCE" and "ARC SUCCESSFULLY UPDATED RESPONSE BACK TO SOURCE OR SF".
How can I make it a single query with two filter criteria.
Can someone guide me on that.
