I wish to make a dashboard that sort of shows an End to End flow of transactions. For this, I need to be using multiple indexes and source types. I only want to display the top 2 or 5 events grabbed from any index.
I want to grab the last 2 events from foo and the last 2 events from bar putting them both into the same table view.
Thanks for the suggestion.
Is there anyway to append that to this clause:
index="Foo" OR index="bar" source="FOO" OR source="BAR" .
I have tried to do this:
(index=foo source="FOO" | head 2) OR (index=bar source="BAR" | head 2) but this did not seem to work 😞