I am performing a search and sub search and would like to combine the results into a single result set. I have run the 2 searches individually and have an idea of what the combined result set should be. I have tried to join, append, appendcol the sub search with all of the different options inner/outer join, overwrite/override=true/false, etc. and in all of these cases, my result set is missing records that should be in there (i.e. combined i should have like 30 unique records but the max I get is 10).
Any idea what might be going on? There are some records that appear in both searches and some that are only in 1. In most cases, it seems like the sub search results are the ones that are missing.
Figured it out with an append then running another running another stats command to add values from both result sets and grouping by the primary key
Figured it out with an append then running another running another stats command to add values from both result sets and grouping by the primary key
I can't share my data, as its private customer data, but i can walk you through it in pseudo code and maybe that will help...
sourcetype=X | Where Var1=a OR (Var2=b OR Var2=d) OR Var3=g | stats count(var1), sum(var2), sum(var3) by var4 | append [search sourcetype=X | Where (Not var1=a) AND (var2=c OR var2=f) | stats count(var1), su(var2), sum(var3) by var4]
The append, combined my result sets, but it resulted in duplicates of var4. So then I added another stats command like: stats sum(var1), sum(var2), sum(var3) by var4. This combined the duplicates and added the values.
That Help?
Would you be willing to share an example? I've been battling with this one for a while and it might save some time...thanks!
so provide the events samples and query so we can help....
time is not the issue, the sub search runs quickly
The sub search has 9 results/events
You might be facing a sub-search limitation. To help you let's know how many events your sub-search has...
how long does your sub search take to run?