hi,
I am writing the following search query in the dashboard panel
sourcetype=xml22 |where $field1$ = 7|search Text="*Launched application: Automatic Registration"| eval Name = "Automatic Registration launch" |stats count by Name|table Name count
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: AutoQuant"| eval Name = "AutoQuant launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: FilmView"| eval Name = "FilmView launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: NM Renal"| eval Name = "NM Renal launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: NM Viewer"| eval Name = "NM Viewer launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: AutoSPECT Pro"| eval Name = "AutoSPECT Pro launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Launched application: AVA"| eval Name = "AVA launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Bone Mineral Density"| eval Name = "Bone Mineral Density launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Brain Perfusion"| eval Name = "Brain Perfusion launch" |stats count by Name|table Name count]
| append[search sourcetype=xml22 |where $field1$ = 7|search Text="Launched application: Cardiac Viewer"| eval Name = "Cardiac Viewer launch" |stats count by Name|table Name count]*
and when i am performing single searches for the above group search like
sourcetype=xml22 |search Text="*Launched application: AutoQuant"| eval Name = "AutoQuant launch" |stats count by Name|table Name count*
the results are varying.
The query says that when the text in Text="Launched application: AutoSPECT Pro" arrives then print the name as given in eval Name = "AutoSPECT Pro launch" and then give the count of its occurrence as in stats count by Name|table Name count
This count is same for a few searches but its varying for others. Kindly help:)
I'm seeing the same thing on one of our dashboards, i do the same exact query from the search bar, vs the dashboard and get different results.
Here same issue. Within the dashboard I see a partial result while my query is exactly the same.
Hello,
I don't think there is a reason for the results to vary but I'm wondering if there no other way to perform your search... it seems very repetitive. What about you do something like:
sourcetype=xml22 $field1$ = 7 | stats count by Text
I know that it will return the full text and not the name you want... but after you get the stats you could use a lookup table to replace the "text" with the "name" you like or maybe | eval name=CASE(...)
to change it.
It'll simplify your search command and make easier to debug...