I need to get a single dashboard out of 3 different sourcetype by passing a unique ID using the form view.
I used the 3 queries and pulled the data to the user defined index - newindex and how do i get the data in a single value by passing the unique id.
2012-06-25 14:52:39 123456789 3924110063741806337
2012-06-25 14:54:58 782345678 623458620530373121
2012-06-25 12:21:56 663236789 4189485991196251138
abc.occ analfnafafja-afafa-afafa 3924110063741806337
bac.occ baclfnafafja-afafa-afafa 623458620530373121
cac.occ cadlfnafafja-afafa-afafa 4189485991196251138
The mapping from 1 and 2 : sid=vcsSId
The mapping from 2 and 3 : vcsSId=confid
Problem statement :
I want to get a single view of the all the above 3 with unique value by passing the "mid" dynamically using the form view.
I tried joins as given below and it fetches empty results.
index=userindex source=findnode1 | fields timestamp mid sid | join sid [ search source=findnode2 | fields VCS vcsSId csId] | join vcsSId [search source=findnode3 | fields confid mcrconf host] | table mid timestamp sid confid mcrconf host
Please let me know if i am missing something help me on how would i combine to get a single view in a query.
Join only works on a common field - and you haven't named common fields between your sources.
index=userindex source=find_node_1 | fields time_stamp mid sid | join sid [ search source=find_node_2 | rename vcsSId as sid | fields VCS sid csId] | join sid [search source=find_node_3 | rename confid as sid | fields sid mcrconf host] | table mid time_stamp sid mcrconf host
But why do you even need the middle join? Since you didn't use any of the fields from the second join, wouldn't it work as:
index=userindex source=find_node_1 | fields time_stamp mid sid | join sid [search source=find_node_3 | rename confid as sid | fields sid mcrconf host] | table mid time_stamp sid mcrconf host
Thanks a lot !
The reason for using middle join is to join the sid and , i would need some of the fileds in the final result to get them in the table