How can the following 2 searches be used in a single Pie Chart?
SEARCH ONE
index=security host=THAT* OR host=THIS* SourceName="Microsoft-AzureMfa-AuthZ" "Access Accepted" | rex field=Message "\S*user (?<ValueOne>\S*)" | dedup ValueOne | Stats Count
SEARCH TWO
index=network source="D:\\Radlogs\\IN*.log" SOMETHING1* "4136,2," | rex "(?:[^,]*,\s*){1}(?<ValueTwo>\w+)"| dedup ValueTwo | Stats Count
I can join both the statements, but that doesn't allow them both to be used in a single chart. Seems one carries precedence over the other.
Also tried
( index=security host=THAT* OR host=THIS* SourceName="Microsoft-AzureMfa-AuthZ" "Access Accepted" | rex field=Message "\S*user (?<ValueOne>\S*)" | dedup ValueOne ) OR ( index=network source="D:\\Radlogs\\IN*.log" SOMETHING1* "4136,2," | rex "(?:[^,]*,\s*){1}(?<ValueTwo>\w+)"| dedup ValueTwo ) | stats count by index | replace security with TestOne network with TestTwo
that gives a unbalanced parentheses error
Are you looking for this?
index=security host=THAT* OR host=THIS* SourceName="Microsoft-AzureMfa-AuthZ" "Access Accepted"
| rex field=Message "\S*user (?<ValueOne>\S*)"
| dedup ValueOne
| append [ search index=network source="D:\\Radlogs\\IN*.log" SOMETHING1* "4136,2,"
| rex "(?:[^,]*,\s*){1}(?<ValueTwo>\w+)"
| dedup ValueTwo ]
| stats count by index
| replace security with TestOne network with TestTwo
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
Are you looking for this?
index=security host=THAT* OR host=THIS* SourceName="Microsoft-AzureMfa-AuthZ" "Access Accepted"
| rex field=Message "\S*user (?<ValueOne>\S*)"
| dedup ValueOne
| append [ search index=network source="D:\\Radlogs\\IN*.log" SOMETHING1* "4136,2,"
| rex "(?:[^,]*,\s*){1}(?<ValueTwo>\w+)"
| dedup ValueTwo ]
| stats count by index
| replace security with TestOne network with TestTwo
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
Exacty that! Thanks for the quick response!