I wants to append multiple search results in separate columns.
The following searches are fetched from different source types.
Search 1.
.......uri_path="/landing/view/*" method=POST | stats dc(sessionId) as A by date_month
Search 2.
......."REBOOKED_ACTIONED" | stats dc(session_id) as B by date_month
Search 3.
.......uri_path="/cancel/confirmed/*" method=POST | stats dc(sessionId) as C by date_month
Expected Result in the following format:
Date_Month A B C pec_B pec_C
JAN-2016 20 10 2 (10*100)/A=50% 10%
DEC-2015 40 30 5 75% 12.5%
Please advise..
Try something like this
(base search 1 i.e. sourcetype=soucetypeA uri_path="/landing/view/*" method=POST) OR (base search2 i.e. sourcetype=soucetypeB "REBOOKED_ACTIONED") OR (base search 3 i.e. sourcetype=soucetypeC uri_path="/cancel/confirmed/*" method=POST ) | stats dc(sessionId) over date_month by sourcetype | rename sourcetypeA as A sourcetypeB as B sourcetypeC as C | eval pec_B=(B*100)/A | eval pec_C=(C*100)/A
Hi,
Try this,
.......uri_path="/landing/view/*" method=POST | stats dc(sessionId) as A by date_month | sort 0 date_month | appendcols [......."REBOOKED_ACTIONED" | stats dc(session_id) as B by date_month | sort 0 date_month ] | appendcols [ .......uri_path="/cancel/confirmed/*" method=POST | stats dc(sessionId) as C by date_month | sort 0 date_month ]
Thanks,
V