Hi,

I need to create a dashboard panel merging two different search queries. I have below two queries:

• index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" "Broker may not be available" | rex field=_raw "(?ms)]\s(?P<Code>\w+)\s\[" | search Code="WARN" | stats count | eval mwgcb-ckbla02U.nam.nsroot.net=if(count=0, "Running", "Down") | table mwgcb-ckbla02U.nam.nsroot.net

This give me the status of the  broker based on the availability of the indicator "Broker may not be available".

• index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/zookeeperLogs/*" "java.net.SocketException: Broken pipe" OR "ZK Down" | rex field=_raw "(?ms)\]\s(?P<Code>\w+)\s" | search Code="WARN" | rex field=_raw "(?ms)\/(?P<IP_Address>(\d+\.){3}\d+)\:\d+" | stats count | eval mwgcb-ckbla02U.nam.nsroot.net=if(count=0, "Running", "Down") | table mwgcb-ckbla02U.nam.nsroot.net

This gives me the status of zookeeper based on the availability of the indicators "java.net.SocketException: Broken pipe" OR "ZK Down".

Now, I want to merge both the search queries such that I can get the status of both broker and zookeeper in a tabular format.

for e.g.  for the host mwgcb-ckbla02U.nam.nsroot.net

Broker             Down

Zookeeper    Running

I tried creating a query as below:

index=int_gcg_nam_eventcloud_164167 host="mwgcb-ckbla02U*" source="/logs/confluent/kafkaLogs/server.log" OR source="/logs/confluent/zookeeperLogs/zookeeper.log" "Broker may not be available" OR "java.net.SocketException: Broken pipe" OR "ZK Down" | stats count by source | lookup component_lookup.csv "source" | eval Status=if(count=0, "Running", "Down")| table Component,Status

However in any time range where the indicators are not available, it throws output as "No results found" and hence not able to create the dashboard.

Please help to get the output in the desired manner. Thanks..!!