How do i use join in a query where i have used dat...

rohitnaz007 · ‎12-01-2020

I am using search query from indexes using join operator and get result as below ,

Search Query =

index=case_management AND cef_name="Case inserted"
| where fname LIKE "%%CMI - IPS%%"
| dedup fileId
| join fname
[ search index=case_management AND cef_name="Case updated" ]
| rex field=fname "CMI - IPS - \((?<customer_id>[\d]+)\) - CMI (?<Env>[^\s]+) - "
| where Env ="Prod"
| timechart span=1mon count by flexString2 fixedrange=false cont=false
| where _time>=relative_time(now(),"-3mon@mon") AND _time<relative_time(now(),"-0mon@mon")

Result is=

_time Closed Follow-Up Queued
2020-09 113 4 1
2020-10 26 0 0

i want to get the same result by writing a query using data model.

@elrich11

rohitnaz007 · ‎12-02-2020

can anyone help in this scenario, this is an urgent issue for me!

How do i use join in a query where i have used data from 2 data models?

visualization

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

How do i use join in a query where i have used data from 2 data models?

visualization

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...