I am performing a search and sub search and would like to combine the results into a single result set. I have run the 2 searches individually and have an idea of what the combined result set should be. I have tried to join, append, appendcol the sub search with all of the different options inner/outer join, overwrite/override=true/false, etc. and in all of these cases, my result set is missing records that should be in there (i.e. combined i should have like 30 unique records but the max I get is 10).
Any idea what might be going on? There are some records that appear in both searches and some that are only in 1. In most cases, it seems like the sub search results are the ones that are missing.
Figured it out with an append then running another running another stats command to add values from both result sets and grouping by the primary key
Would you be willing to share an example? I've been battling with this one for a while and it might save some time...thanks!
I can't share my data, as its private customer data, but i can walk you through it in pseudo code and maybe that will help...
sourcetype=X | Where Var1=a OR (Var2=b OR Var2=d) OR Var3=g | stats count(var1), sum(var2), sum(var3) by var4 | append [search sourcetype=X | Where (Not var1=a) AND (var2=c OR var2=f) | stats count(var1), su(var2), sum(var3) by var4]
The append, combined my result sets, but it resulted in duplicates of var4. So then I added another stats command like: stats sum(var1), sum(var2), sum(var3) by var4. This combined the duplicates and added the values.