Hi Everyone,
I am looking for writing tstats sub search in query in tstats where claus.
I tried the below way but my query giving No Result. I want write in sub search with tstats from two indexes.
Query:
| tstats latest(_time),values(relational_correlationId),values(tracePoint),values(timestamp),values(businessKey),values(businessValue) where [ tstats latest(_time) as _time ,values(relational_correlationId) as relational_correlationId ,values(tracePoint) as tracePoint,values(timestamp) as timestamp,values(content.businessFields{}.key) as businessKey,values(content.businessFields{}.value) as businessValue where index="mulesoft_index" earliest=-10m@m latest=now() by environment,businessGroup,appName,interfaceName,correlationId]
Please help me.
Thanks & Reagards,
Manikanth
Recall that the results of a subsearch become part of the main search so those results must make sense in the context of the main search. To check that, run the subsearch by itself with the format command so you can see what gets returned to the main search.
| tstats latest(_time) as _time ,values(relational_correlationId) as relational_correlationId ,values(tracePoint) as tracePoint,values(timestamp) as timestamp,values(content.businessFields{}.key) as businessKey,values(content.businessFields{}.value) as businessValue where index="mulesoft_index" earliest=-10m@m latest=now() by environment,businessGroup,appName,interfaceName,correlationId | format
Hi richgalloway,
Thanks for your response. I have tried the way you suggested but it is not working. Actually In sub search I want to get the data from other summary index.